当前位置：网站首页>Preparedstatement principle of preventing SQL injection

Preparedstatement principle of preventing SQL injection

2022-06-25 03:46:00 【Stupid in the food】

1. PreparedStatement And Statement What is it for ？

PreparedStatement and Statement All right sql Statement and returns the compiled identifier .

2. PreparedStatement The advantages of ？

		1.  Effectively prevent sql Inject .
		2.  precompile , Than statement High execution efficiency （ Compile multiple times at a time ）
		3.  Good readability of parameter settings .

3. What is? sql Inject ？

The user enters malicious in the front page sql sentence , Cheat the server to execute malicious sql Code , Cause database leakage , This is it. sql Inject . for example ：

select * from user where name = ‘${name}’

If the parameter Zhang San is passed in ’ or 1=’1, The user can get all the data without knowing the name .

4. PrepareStatement How to prevent sql Injected ？

PrepareStatement Each character of the parameter will be traversed , Line break found 、 quotes 、 Special characters such as slashes , Will be escaped . Above after escape sql Injection will fail .
Before escape ：select * from user where name = ‘ Zhang San ’ or 1=’1’;
After escaping ： select * from user where name = ‘ Zhang San \’ or 1 = \’1’;
obviously , After the escape sql Statement query result is null . Unless there is a wonderful flower named “ Zhang San ’ or 1 = ’1”.

reference ： prevent sql Principle of injection

原网站

版权声明
本文为[Stupid in the food]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202210539053501.html