Recommendation (free): sql tutorial
##SQL injection refers to the intrusion of user-entered data by web applications. There is no judgment on legality or lax filtering. Attackers can add additional SQL statements at the end of the predefined query statements in the web application to achieve illegal operations without the administrator's knowledge, thereby deceiving the database. The server performs unauthorized arbitrary queries to further obtain corresponding data information.1. SQL injection case
Simulate a SQL injection case of user login. The user enters the user name and password on the console, and then uses Statement string concatenation. Implement user login.1.1 First create the user table and data in the database
-- 创建一张用户表 CREATE TABLE `users` ( `id` INT(11) NOT NULL AUTO_INCREMENT, `username` VARCHAR(20), `password` VARCHAR(50), PRIMARY KEY (`id`) ) ENGINE=INNODB DEFAULT CHARSET=utf8; -- 插入数据 INSERT INTO users(username,`password`) VALUES('张飞','123321'),('赵云','qazxsw'),('诸葛亮','123Qwe'); INSERT INTO users(username,`password`) VALUES('曹操','741258'),('刘备','plmokn'),('孙权','!@#$%^'); -- 查看数据 SELECT * FROM users;
import java.sql.*;
import java.util.Scanner;
public class TestSQLIn {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://127.0.0.1:3306/testdb?characterEncoding=UTF-8";
Connection conn = DriverManager.getConnection(url,"root","123456");
//System.out.println(conn);
// 获取语句执行平台对象 Statement
Statement smt = conn.createStatement();
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String userName = sc.nextLine();
System.out.println("请输入密码:");
String password = sc.nextLine();
String sql = "select * from users where username = '" + userName + "' and password = '" + password +"'";
//打印出SQL
System.out.println(sql);
ResultSet resultSet = smt.executeQuery(sql);
if(resultSet.next()){
System.out.println("登录成功!!!");
}else{
System.out.println("用户名或密码错误,请重新输入!!!");
}
resultSet.close();
smt.close();
conn.close();
}
}
After entering the correct user name and password, it will prompt "Login successful"
When the user name or password is entered incorrectly, the prompt "User name or password is incorrect, please re-enter"
The concatenated string contains or '1'='1', which is a constant condition, so even if the previous user and password do not exist, it will All records are taken out, so the prompt "Login successful"
Using the splicing method, SQL will also appear Syntax errors and other errors, such as
Using the Statement method, the user can change the original text through string splicing. The true meaning of SQL leads to the risk of SQL injection. To solve SQL injection, you can use the preprocessing object PreparedStatement instead of Statement for processing.
1.1 Write a new programimport java.sql.*;
import java.util.Scanner;
public class TestSQLIn {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://127.0.0.1:3306/testdb?characterEncoding=UTF-8";
Connection conn = DriverManager.getConnection(url,"root","123456");
//System.out.println(conn);
// 获取语句执行平台对象 Statement
// Statement smt = conn.createStatement();
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String userName = sc.nextLine();
System.out.println("请输入密码:");
String password = sc.nextLine();
String sql = "select * from users where username = ? and password = ? ";
// System.out.println(sql);
// ResultSet resultSet = smt.executeQuery(sql);
PreparedStatement preparedStatement = conn.prepareStatement(sql);
preparedStatement.setString(1,userName);
preparedStatement.setString(2,password);
ResultSet resultSet = preparedStatement.executeQuery();
if(resultSet.next()){
System.out.println("登录成功!!!");
}else{
System.out.println("用户名或密码错误,请重新输入!!!");
}
preparedStatement.close();
resultSet.close();
// smt.close();
conn.close();
}
}
When the username or password is entered incorrectly, it will prompt "The username or password is incorrect, please re-enter"
According to the previous situation, write SQL injection. After the test, SQL injection will no longer occur.
After using the preprocessing class, inputting content with single quotes or double quotes will not work SQL syntax errors will appear again
The main differences between Statement and PreparedStatement are as follows:
- Statement is used to execute static SQL statements. During execution, a prepared SQL statement must be specified.
- PrepareStatement is a precompiled SQL statement object. The statement can contain the dynamic parameter "?", and the parameter value can be dynamically set for "?" during execution
- PrepareStatement can reduce the number of compilations and improve database performance
The above is the detailed content of Learn about SQL injection and how to fix it. For more information, please follow other related articles on the PHP Chinese website!
MySQL: A Specific Implementation of SQLApr 13, 2025 am 12:02 AMMySQL is an open source relational database management system that provides standard SQL functions and extensions. 1) MySQL supports standard SQL operations such as CREATE, INSERT, UPDATE, DELETE, and extends the LIMIT clause. 2) It uses storage engines such as InnoDB and MyISAM, which are suitable for different scenarios. 3) Users can efficiently use MySQL through advanced functions such as creating tables, inserting data, and using stored procedures.
SQL: Making Data Management Accessible to AllApr 12, 2025 am 12:14 AMSQLmakesdatamanagementaccessibletoallbyprovidingasimpleyetpowerfultoolsetforqueryingandmanagingdatabases.1)Itworkswithrelationaldatabases,allowinguserstospecifywhattheywanttodowiththedata.2)SQL'sstrengthliesinfiltering,sorting,andjoiningdataacrosstab
SQL Indexing Strategies: Improve Query Performance by Orders of MagnitudeApr 11, 2025 am 12:04 AMSQL indexes can significantly improve query performance through clever design. 1. Select the appropriate index type, such as B-tree, hash or full text index. 2. Use composite index to optimize multi-field query. 3. Avoid over-index to reduce data maintenance overhead. 4. Maintain indexes regularly, including rebuilding and removing unnecessary indexes.
How to delete constraints in sqlApr 10, 2025 pm 12:21 PMTo delete a constraint in SQL, perform the following steps: Identify the constraint name to be deleted; use the ALTER TABLE statement: ALTER TABLE table name DROP CONSTRAINT constraint name; confirm deletion.
How to set SQL triggerApr 10, 2025 pm 12:18 PMA SQL trigger is a database object that automatically performs specific actions when a specific event is executed on a specified table. To set up SQL triggers, you can use the CREATE TRIGGER statement, which includes the trigger name, table name, event type, and trigger code. The trigger code is defined using the AS keyword and contains SQL or PL/SQL statements or blocks. By specifying trigger conditions, you can use the WHERE clause to limit the execution scope of a trigger. Trigger operations can be performed in the trigger code using the INSERT INTO, UPDATE, or DELETE statement. NEW and OLD keywords can be used to reference the affected keyword in the trigger code.
How to add index for SQL queryApr 10, 2025 pm 12:15 PMIndexing is a data structure that accelerates data search by sorting data columns. The steps to add an index to an SQL query are as follows: Determine the columns that need to be indexed. Select the appropriate index type (B-tree, hash, or bitmap). Use the CREATE INDEX command to create an index. Reconstruct or reorganize the index regularly to maintain its efficiency. The benefits of adding indexes include improved query performance, reduced I/O operations, optimized sorting and filtering, and improved concurrency. When queries often use specific columns, return large amounts of data that need to be sorted or grouped, involve multiple tables or database tables that are large, you should consider adding an index.
How to use ifelse sql statementApr 10, 2025 pm 12:12 PMThe IFELSE statement is a conditional statement that returns different values based on the conditional evaluation result. Its syntax structure is: IF (condition) THEN return_value_if_condition_is_true ELSE return_value_if_condition_is_false END IF;.
How to view sql database errorApr 10, 2025 pm 12:09 PMThe methods for viewing SQL database errors are: 1. View error messages directly; 2. Use SHOW ERRORS and SHOW WARNINGS commands; 3. Access the error log; 4. Use error codes to find the cause of the error; 5. Check the database connection and query syntax; 6. Use debugging tools.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Zend Studio 13.0.1
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Dreamweaver CS6
Visual web development tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
