Home > Database > Mysql Tutorial > body text

Why precompilation can prevent sql injection

清浅
Release: 2019-05-11 14:55:57
Original
5975 people have browsed it

The reason why precompilation can prevent sql injection: after precompilation, the sql statement has been analyzed, compiled and optimized by the database, and the database is allowed to be queried in parameterized form, so even if there are sensitive characters, the database will treat them as attributes. Values ​​are processed instead of sql instructions

Why precompilation can prevent sql injection

As we all know, there is a preprocessing function in JDBC in Java. One of the major advantages of this function is that it can improve the execution speed, especially When operating the database multiple times, another advantage is to prevent SQL injection. Strictly speaking, it should prevent the vast majority of SQL injections.

The usage is as follows:

String sql="update cz_zj_directpayment dp"+
 "set dp.projectid = ? where dp.payid= ?";
try {
PreparedStatement pset_f = conn.prepareStatement(sql);
pset_f.setString(1,inds[j]);
pset_f.setString(2,id);
pset_f.executeUpdate(sql_update);
}catch(Exception e){
//e.printStackTrace();
logger.error(e.message());
}
Copy after login

Then why can it prevent SQL injection and improve security by processing it like this? In fact, this is because the SQL statement has been precompiled before the program is run. Before the database is operated for the first time when the program is running, the SQL statement has been analyzed, compiled and optimized by the database. The corresponding execution plan will also be cached and allow the database to use parameters. Query in a standardized form. When parameters are dynamically passed to PreprareStatement at runtime, even if there are sensitive characters in the parameters, such as '1=1', the database will treat it as a parameter and a field attribute value, not as an SQL statement. The command, in this way, plays the role of SQL injection!

The above is the detailed content of Why precompilation can prevent sql injection. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!