码迷,mamicode.com
首页 > 数据库 > 详细

解决SQL注入漏洞方法

时间:2017-05-25 15:48:27      阅读:246      评论:0      收藏:0      [点我收藏+]

标签:break   cti   建议   ack   rest   cep   des   class   语句   

本文只指针编码层次的SQL注入漏洞解决方法,例子代码是以java为主。

1,参数化的预编译查询语句

不安全例子

 String query = "SELECT account_balance FROM user_data WHERE user_name = "
   + request.getParameter("customerName");
 
 try {
     Statement statement = connection.createStatement( … );
     ResultSet results = statement.executeQuery( query );
 }

防止通过参数传不安全值,必须使用参数化的预编译查询语句

 String custname = request.getParameter("customerName"); // This should REALLY be validated too
 // perform input validation to detect attacks
 String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
 
 PreparedStatement pstmt = connection.prepareStatement( query );
 pstmt.setString( 1, custname); 
 ResultSet results = pstmt.executeQuery( );

 2,输入参数白名单

不建议将SQL语句关键部分作参数传递,如表名、字段名或排序符(ASC、DESC)等。建议设计通过标识来判断,如以下例子

 String tableName;
 switch(PARAM):
   case "Value1": tableName = "fooTable";
                  break;
   case "Value2": tableName = "barTable";
                  break;
     ...
   default      : throw new InputValidationException("unexpected value provided for table name");
public String someMethod(boolean sortOrder) {
 
 String SQLquery = "some SQL ... order by Salary " + (sortOrder ? "ASC" : "DESC");
 ...

 

解决SQL注入漏洞方法

标签:break   cti   建议   ack   rest   cep   des   class   语句   

原文地址:http://www.cnblogs.com/birdstudio/p/6903857.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!