当前位置:网站首页>SQL injection attack
SQL injection attack
2022-07-23 21:41:00 【Soup key】
Catalog
SQL The principle of injection attack
SQL Solution to injection attack
What is? SQL Injection attack
- Is the use sql Statement to attack the system
Attack Demo
- For example, when entering the password sql Statement validation
- Such as :
select * from user where loginname='zhangsan' and password='123456'- This statement requires an account number of zhangsan And the password is 123456 To login successfully
- But if you enter the account number casually but enter the password bbb' or '1'='1
- In the incoming statement is
select * from user where loginname='aaa' and password='bbb' or '1'='1'- That's right, then login is successful
- This is it. sql Injection attack
SQL The principle of injection attack
- In the normal sense , Everything we type in the password , It's supposed to be a combination of passwords
- But now Statement Object is executing sql When the sentence is , A part of the password is executed as a query condition , Once the following conditions are met, the data can also be queried
SQL Solution to injection attack
- Use PreparedStatement Precompiled performer object
- It will be performing sql The statement before , take sql Statement
- clear sql After statement format , It won't change
- The rest will be considered parameters
- sql The parameters in the statement use ? As placeholder
- by ? Placeholder assignment method
- setXxx( Parameters 1, Parameters 2);
- Xxx Representative data type
- Parameters 1:? Location number of ( Number from 1 Start )
- Parameters 2:? Actual parameters of
- Such as :
String sql="SELECT * FROM user WHERE loginname=? AND password=?"; pstm = con.prepareStatement(sql); pstm.setString(1," Zhang San "); pstm.setString(2,"123456");
perform sql sentence
// Definition SQL sentence String sql = "SELECT * FROM user WHERE loginname=? AND password=?"; // Get the operation object , perform sql sentence , Get the result set st = con.prepareStatement(sql); st.setString(1," Zhang San "); st.setString(2,"123456"); rs = st.executeQuery(); // Get the result set if(rs.next()){ ....... encapsulate }
边栏推荐
- At 12 o'clock on July 23, 2022, the deviation from the top of the line of love life hour appeared, maintaining a downward trend and waiting for the rebound signal.
- 集群聊天服务器:数据库表的设计
- Cmake learning
- 二分函数细节
- 集群聊天服务器:Model数据层的框架设计和数据库代码的封装
- C - documents
- 博客总排名为918
- Scala Programming (Junior)
- One of QT desktop whiteboard tools (to solve the problem of unsmooth curve -- Bezier curve)
- [Yugong series] June 2022.Net architecture class 084- micro service topic ABP vNext micro service communication
猜你喜欢
Modular development
221. Largest square ● &1277. Square submatrix with statistics all 1 ● ●
欧氏聚类(API)及其单木分割
High numbers | calculation of double integral 2 | high numbers | handwritten notes
Problems and abuse of protocol buffers
How to get the worker's hat? Where is the worker's helmet?
Day109. Shangyitong: integrate Nacos, hospital list, drop-down list query, hospital online function, hospital details query
High numbers | calculation of double integral 3 | high numbers | handwritten notes
Cluster chat server: Framework Design of model data layer and encapsulation of database code
Cmake learning
随机推荐
2022-7-23 12点 程序爱生活 小时线顶背离出现,保持下跌趋势,等待反弹信号出现。
手机测试相关基础知识
Chapter 2 Regression
Leaderboard design in game server
Compare kernelshap and treeshap based on speed, complexity and other factors
05_ UE4 advanced_ Material UV scaling
High numbers | calculation of double integral 2 | high numbers | handwritten notes
1309_ Add GPIO flip on STM32F103 and schedule test with FreeRTOS
Scala programming (elementary)
集群聊天服务器:数据库表的设计
Why cluster chat server introduces load balancer
221. Largest square ● &1277. Square submatrix with statistics all 1 ● ●
uniapp使用canvas写环形进度条
2022.7.22 JS object
实验设计
集群聊天服务器:工程目录的创建
集群聊天服务器:如何解决跨服务器通信问题 | redis发布-订阅
DBSCAN点云聚类
scala編程(初級)
Use Gaode map JS API 2.0 to load the starting and ending path tracks