Why is the java jdbc question mark placeholder anti-injection?
本篇文章给大家带来的内容是介绍为什么java jdbc问号占位符可以防注入?有一定的参考价值,有需要的朋友可以参考一下,希望对你们有所帮助。
最近几天探讨一下关于sql注入的问题,以前林老师也讲过,现在总结一下:
其实,like是会注入的,也不建议用,用占位符实际查询效果不是like本身的意思,相当全匹配。
建议使用instr()函数,本文主要记录一下处理防止注入的源码,为什么用?可以防注入,而拼接的sql可以注入。
先看下面用占位符来查询的一句话
String sql = "select * from administrator where adminname=?"; psm = con.prepareStatement(sql);
String s_name ="zhangsan' or '1'='1"; psm.setString(1, s_name);
假设数据库表中并没有zhangsan这个用户名,用plsql运行sql语句,可以查出来所有的用户名,但是在Java中并没有查出任何数据,这是为什么呢?
首先,setString()的源码中只有方法名字,并没有任何过程性处理。
那么答案肯定出现在Java到数据库这个过程中,也就是mysql和oracle驱动包中,在mysql驱动包中,PreparedStatement继承并实现了jdk中的setString方法,翻看一下源码,主要是做了转义处理。
也就是原因在于数据库厂商帮你解决了这个问题,下面就看看这个方法的具体实现:
public void setString(int parameterIndex, String x)
throws SQLException {
if(x == null) {
setNull(parameterIndex, 1);
} else {
checkClosed();
int stringLength = x.length();
if(connection.isNoBackslashEscapesSet()) {
boolean needsHexEscape = isEscapeNeededForString(x, stringLength);
if(!needsHexEscape) {
byte parameterAsBytes[] = null;
StringBuffer quotedString = new StringBuffer(x.length() + 2);
quotedString.append('\'');
quotedString.append(x);
quotedString.append('\'');
if(!isLoadDataQuery)
parameterAsBytes = StringUtils.getBytes(quotedString.toString(), charConverter, charEncoding, connection.getServerCharacterEncoding(), connection.parserKnowsUnicode());
else
parameterAsBytes = quotedString.toString().getBytes();
setInternal(parameterIndex, parameterAsBytes);
} else {
byte parameterAsBytes[] = null;
if(!isLoadDataQuery)
parameterAsBytes = StringUtils.getBytes(x, charConverter, charEncoding, connection.getServerCharacterEncoding(), connection.parserKnowsUnicode());
else
parameterAsBytes = x.getBytes();
setBytes(parameterIndex, parameterAsBytes);
}
return;
}
String parameterAsString = x;
boolean needsQuoted = true;
if(isLoadDataQuery || isEscapeNeededForString(x, stringLength)) {
needsQuoted = false;
StringBuffer buf = new StringBuffer((int)((double) x.length() * 1.1000000000000001 D));
buf.append('\'');
for(int i = 0; i < stringLength; i++) {
char c = x.charAt(i);
switch(c) {
case 0: // '\0'
buf.append('\\');
buf.append('0');
break;
case 10: // '\n'
buf.append('\\');
buf.append('n');
break;
case 13: // '\r'
buf.append('\\');
buf.append('r');
break;
case 92: // '\\'
buf.append('\\');
buf.append('\\');
break;
case 39: // '\''
buf.append('\\');
buf.append('\'');
break;
case 34: // '"'
if(usingAnsiMode)
buf.append('\\');
buf.append('"');
break;
case 26: // '\032'
buf.append('\\');
buf.append('Z');
break;
default:
buf.append(c);
break;
}
}
buf.append('\'');
parameterAsString = buf.toString();
}
byte parameterAsBytes[] = null;
if(!isLoadDataQuery) {
if(needsQuoted)
parameterAsBytes = StringUtils.getBytesWrapped(parameterAsString, '\'', '\'', charConverter, charEncoding, connection.getServerCharacterEncoding(), connection.parserKnowsUnicode());
else
parameterAsBytes = StringUtils.getBytes(parameterAsString, charConverter, charEncoding, connection.getServerCharacterEncoding(), connection.parserKnowsUnicode());
} else {
parameterAsBytes = parameterAsString.getBytes();
}
setInternal(parameterIndex, parameterAsBytes);
parameterTypes[(parameterIndex - 1) + getParameterIndexOffset()] = 12;
}
}总结:以上就是本篇文的全部内容,希望能对大家的学习有所帮助。更多相关教程请访问Java视频教程,java开发图文教程,bootstrap视频教程!
The above is the detailed content of Why is the java jdbc question mark placeholder anti-injection?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
After Java8 (291), TLS1.1 is disabled and JDBC cannot connect to SqlServer2008 using SSL. How to solve the problem?
May 16, 2023 pm 11:55 PM
After Java8-291, TLS1.1 is disabled, so that JDBC cannot connect to SqlServer2008 using SSL. What should I do? The following is the solution to modify the java.security file 1. Find the java.security file of jre. If it is jre, go to {JAVA_HOME}/jre/ In lib/security, for example????C:\ProgramFiles\Java\jre1.8.0_301\lib\security. If it is the Eclipse green installation-free portable version, search for java.security in the installation folder, such as????xxx\plugins \org
How to implement JDBC batch insert in Java
May 18, 2023 am 10:02 AM
1. Explain that in JDBC, the executeBatch method can execute multiple dml statements in batches, and the efficiency is much higher than executing executeUpdate individually. What is the principle? How to implement batch execution in mysql and oracle? This article will introduce to you the principle behind this. 2. Experiment introduction This experiment will be carried out through the following three steps: a. Record the time consuming of jdbc batch execution and single execution in mysql; b. Record the time consuming of jdbc batch execution and single execution in oracle; c. Record the batch execution and single execution of oracleplsql. The execution time-consuming related java and database versions are as follows: Java17, Mysql8, Oracle
How to analyze JDBC programming in MySQL
May 30, 2023 pm 10:19 PM
1. Prerequisites for database programming Programming languages, such as Java, C, C++, Python and other databases, such as Oracle, MySQL, SQLServer and other database driver packages: Different databases provide different database driver packages corresponding to different programming languages. For example: MySQL provides the Java driver package mysql-connector-java, which is required to operate MySQL based on Java. Similarly, to operate Oracle database based on Java, Oracle's database driver package ojdbc is required. 2. Java database programming: JDBCJDBC, JavaDatabaseConnectiv
Java Errors: JDBC Errors, How to Solve and Avoid
Jun 24, 2023 pm 02:40 PM
With the widespread application of Java, JDBC errors often occur when Java programs connect to databases. JDBC (JavaDatabaseConnectivity) is a programming interface in Java used to connect to a database. Therefore, a JDBC error is an error encountered when a Java program interacts with a database. Here are some of the most common JDBC errors and how to solve and avoid them. ClassNotFoundException This is the most common JDBC
Common problems encountered in Java using JDBC API to connect to MySQL database
Jun 10, 2023 am 09:55 AM
In recent years, the application of Java language has become more and more widespread, and JDBCAPI is a creative method for Java applications to interact with databases. JDBC is based on an open database connection standard called ODBC, which enables Java applications to connect to any database. management system (DBMS). Among them, MySQL is a popular database management system. However, developers will also encounter some common problems when connecting to MySQL databases. This article aims to introduce the JDBCAPI connection M
The bastion of functions: A deep dive into the bastion of PHP function security
Mar 02, 2024 pm 09:28 PM
PHP functions are powerful tools that can be used to perform a variety of tasks. However, without proper security measures, they can also become attack vectors. This article delves into the importance of PHP function security and provides best practices to ensure your code is safe from attacks. Function Injection Attack Function injection is an attack technique in which an attacker hijacks program flow by injecting malicious code into function calls. This could allow an attacker to execute arbitrary code, steal sensitive data, or completely compromise the application. Demo code: //Vulnerability code functiongreet($name){return "Hello,$name!";}//Inject malicious code $name="Bob";echo"Inject
Golang formatting placeholder usage tips
Mar 12, 2024 pm 03:24 PM
Tips for using Golang formatting placeholders In the process of using Golang to format strings, it is very important to master the skills of using placeholders. This article will introduce some commonly used formatting placeholders and sample code to help readers handle string formatting tasks more flexibly. Formatting placeholders in Golang mainly consist of % followed by specific letters, indicating the output of different types of data. The following are some commonly used formatting placeholders and their corresponding data types: %v: default formatting, according to the type of value
What is the difference between Hibernate framework and JDBC?
Apr 17, 2024 am 10:33 AM
Differences between Hibernate and JDBC: Abstraction level: Hibernate provides high-level object mapping and query generation, while JDBC requires manual coding. Object-relational mapping: Hibernate maps Java objects and database tables, while JDBC does not provide this functionality. Query generation: Hibernate uses HQL to simplify query generation, while JDBC requires writing complex SQL queries. Transaction management: Hibernate automatically manages transactions, while JDBC requires manual management.
