The reason why precompilation can prevent sql injection: after precompilation, the sql statement has been analyzed, compiled and optimized by the database, and the database is allowed to be queried in parameterized form, so even if there are sensitive characters, the database will treat them as attributes. Values are processed instead of sql instructions
As we all know, there is a preprocessing function in JDBC in Java. One of the major advantages of this function is that it can improve the execution speed, especially When operating the database multiple times, another advantage is to prevent SQL injection. Strictly speaking, it should prevent the vast majority of SQL injections.
The usage is as follows:
String sql="update cz_zj_directpayment dp"+ "set dp.projectid = ? where dp.payid= ?"; try { PreparedStatement pset_f = conn.prepareStatement(sql); pset_f.setString(1,inds[j]); pset_f.setString(2,id); pset_f.executeUpdate(sql_update); }catch(Exception e){ //e.printStackTrace(); logger.error(e.message()); }
Then why can it prevent SQL injection and improve security by processing it like this? In fact, this is because the SQL statement has been precompiled before the program is run. Before the database is operated for the first time when the program is running, the SQL statement has been analyzed, compiled and optimized by the database. The corresponding execution plan will also be cached and allow the database to use parameters. Query in a standardized form. When parameters are dynamically passed to PreprareStatement at runtime, even if there are sensitive characters in the parameters, such as '1=1', the database will treat it as a parameter and a field attribute value, not as an SQL statement. The command, in this way, plays the role of SQL injection!
The above is the detailed content of Why precompilation can prevent sql injection. For more information, please follow other related articles on the PHP Chinese website!