search

Home  >  Q&A  >  body text

java - 如何防止sql注入

PHP中文网PHP中文网2803 days ago1327

reply all(15)I'll reply

  • 怪我咯

    怪我咯2017-04-17 16:25:38

    WAF and OneRASP are both effective against SQL injection. WAF is placed in front of the application and can better prevent SQL injection through matching rules. However, because we don’t know how SQL statements are specifically used in the application, we only rely on partial It is not enough to judge whether it is SQL injection based on parameters. This requires administrators to have sufficient knowledge of the application and make very complex configurations for the application, which also results in a relatively high accidental kill rate.
    OneRASP injects the protection program into the application like a vaccine and runs together with the application. It is familiar with the context of the application and protects it in the JDBC statement program. On the one hand, it can completely see the entire SQL statement, and at the same time It's clear what the results are. This is very basis for judging whether it is injection. It also makes the manslaughter rate very low.
    OneRASP has many other advantages. Interested students please visit www.oneASP.com, or search on Baidu.

    reply
    0
  • PHPz

    PHPz2017-04-17 16:25:38

    Preprocessing, separate parameters and queries

    reply
    0
  • 大家讲道理

    大家讲道理2017-04-17 16:25:38

    Obviously everyone knows about parameterization. So how can we do parameterization well? If your query is not so complex that it requires string construction of SQL (such as recursion or dynamic level join), then almost all situations can be solved using the following methods:

    1. SQLServer puts the data together with the stored procedure. In fact, this can also synchronize data and packaging, and there is no need to change both ends. When the schema changes, the entire update can be transacted.
    2. The client (or your website) only accesses stored procedures.
    3. Only enable execute permissions for your client so that it can only access stored procedures.

    Using the stored procedure is basically letting the database do the parameterization for you, so you won’t make any mistakes. And this method will not cause problems when you need to construct sql from a string, because sql can also be constructed in the stored procedure, and it is particularly convenient to parameterize this sql structure.

    All injection problems are solved automatically.

    reply
    0
  • PHPz

    PHPz2017-04-17 16:25:38

    I think that since you have understood that the website may have the risk of injection vulnerabilities, you must have understood the principle of injection; therefore, I think if you don’t want to think about how to filter those complex and insightful injection statements, I I think the best way is to use ORM instead of using the old database query method! If you are using java to write the backend, then Hibernate will be a framework worth trying!

    reply
    0
  • 巴扎黑

    巴扎黑2017-04-17 16:25:38

    1. Escape input

    2. Use orm framework

    reply
    0
  • 伊谢尔伦

    伊谢尔伦2017-04-17 16:25:38

    Filtering sql can prevent

    reply
    0
  • 天蓬老师

    天蓬老师2017-04-17 16:25:38

    1. Try not to directly use the obtained data to splice SQL for database access

    2. If there is a useful framework, such as Struts, you can customize the interceptor for interception

    3. Use ORM framework

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 16:25:38

    Rookie here to answer: Give me a simple sql injection method

    //接收参数
    String user=getParam(request,"user","");
    String password=getParam(request,"pswd","");
    
    //拼装sql
    String checkSql="select * from user where username='"+user+"' and password ='"+password+"'";
    
    //请求地址
    String getUrl="xxx.jsp?user=admin&password=1' or '1'='1";
    
    获取参数合成后的sql变成了
    select * from users where userid='admin' and passwd='1' or '1'='1'
    
    这条SQL将会返回所有users数据。也许你的接口就真的把这个user数据给返回过来了。

    reply
    0
  • 伊谢尔伦

    伊谢尔伦2017-04-17 16:25:38

    The most effective way to prevent SQL injection is to escape input.

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 16:25:38

    Don’t trust any user input data,

    reply
    0
  • Cancelreply