search

Home  >  Q&A  >  body text

java - 如何防止sql注入

PHP中文网PHP中文网2807 days ago1351

reply all(15)I'll reply

  • ringa_lee

    ringa_lee2017-04-17 16:25:38

    Generally parameterization or stored procedures are ok

    reply
    0
  • 黄舟

    黄舟2017-04-17 16:25:38

    可注入的sql:
    $id=$_REQUEST['id'];
    $name=$_REQUEST['name'];
    select * from members where id=$id;
    select * from members where id='".$id."'";
    select * from members where name='".$name."'";
    不可注入:
    select * from members where id='".intval($id)."'";
    select * from members where name=".sql_escape($name);

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 16:25:38

    Filter user input, limit type and size, and parameterize sql statements. In addition, parameter vulnerabilities of webservices should also be considered.

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 16:25:38

    Using JavaEE's PreparedStatement interface can easily prevent SQL injection. The drivers of various DataBase manufacturers have implemented it well. The Druid connection pool also helps you filter SQL to prevent injection. Jenkins can be used with some plug-ins, such as findBugs, to find possible SQL injection behaviors.

    reply
    0
  • PHPz

    PHPz2017-04-17 16:25:38

    1/Front-end input uses jsoup filtering. jsoup can also customize various filtering rules.
    2/Use an ORM framework such as ibatis to bind parameters for SQL execution.

    reply
    0
  • Cancelreply