mysqlÓï¾äµÄ×¢Èë²î´íÓÐÄÄЩ£¿
mysqlÓï¾äµÄ×¢Èëʽ´íÎó¾ÍÊÇÀûÓÃijЩÊý¾Ý¿âµÄÍⲿ½Ó¿Ú½«»áÔ±Êý¾Ý²åÈ뵽ʵ¼ÊµÄSQL˵»°°ø±ß£¬´Ó¶øµ½´ïÈëÇÖÊý¾Ý¿âÄËÖÁ²Ù×ÝϵͳµÄÄ¿µÄ¡£¹¥»÷ÕßÀûÓÃËüÀ´¶ÁÈ¡¡¢Ð޸ĻòÕßɾ³ýÊý¾Ý¿âÄÚµÄÊý¾Ý£¬»ñµÃÊý¾Ý¿âÖлáÔ±²ÄÁϺÍÃÜÂëµÈÐÅÏ¢£¬¸üÑϾþ»á»ñµÃÖÎÀíÔ±µÄȨÏÞ¡£
£¨Òý¼ö½Ì³Ì£ºmysqlÊÓƵ½Ì³Ì£©
sql×¢Èëʽ´íÎó(SQL injection)
SQL Injection ¾ÍÊÇÀûÓÃijЩÊý¾Ý¿âµÄÍⲿ½Ó¿Ú½«»áÔ±Êý¾Ý²åÈ뵽ʵ¼ÊµÄÊý¾Ý¿â²Ù×Ý˵»°£¨SQL£©°ø±ß£¬´Ó¶øµ½´ïÈëÇÖÊý¾Ý¿âÄËÖÁ²Ù×ÝϵͳµÄÄ¿µÄ¡£ËüµÄ·¢ÉúÖ÷Èç¹ûÓÉÓÚ³ÌÐò¶Ô»áÔ±ÊäÈëµÄÊý¾ÝûÓÐÍ£Ö¹ÑÏÀ÷µÄ¹ýÂË£¬ÖÂʹ²»·¨Êý¾Ý¿â²éѯÓï¾äµÄÊ©ÐС£
¡¶ÉîÈëdz³ö MySQL¡·
Σº¦
¹¥»÷ÕßÀûÓÃËüÀ´¶ÁÈ¡¡¢Ð޸ĻòÕßɾ³ýÊý¾Ý¿âÄÚµÄÊý¾Ý£¬»ñµÃÊý¾Ý¿âÖлáÔ±²ÄÁϺÍÃÜÂëµÈÐÅÏ¢£¬¸üÑϾþµÄ¾ÍÊÇ»ñµÃÖÎÀíÔ±µÄȨÏÞ¡£
Àý×Ó
//×¢Èëʽ´íÎó public static void test3(String name,String passward){ Connection connection = null; Statement st = null; ResultSet rs = null; try { // ¼ÓÔØJDBC Çý¶¯ Class.forName("com.mysql.jdbc.Driver"); // »ñµÃJDBC Á¬½Ó String url = "jdbc:mysql://localhost:3306/tulun"; connection = DriverManager.getConnection(url,"root","123456"); //´´Á¢Ò»¸ö²éѯÓï¾ä st = connection.createStatement(); //sqlÓï¾ä String sql = "select * from student where name = '"+ name+"' and passward = '"+passward+"'"; rs = st.executeQuery(sql); if(rs.next()){ System.out.println("µÇ¼³É¹¦¡£"); }else{ System.out.println("µÇ¼ʧ°Ü¡£"); } } catch (Exception e) { e.printStackTrace(); } } public static void main(String[] args) { test3("wjm3' or '1 = 1","151515"); }
Êý¾Ý¿âÐÅÏ¢
ÈçÉÏÃæµÄ´úÂëËùʾ£¬»áÔ±ÃûΪwjm3¡¯ or '1 = 1£¬ÃÜÂëΪ151515£¬´ÓÊý¾Ý¿âÖпÉÒÔ¿´³öÎÒÃÇûÓÐÕâÑùµÄ»áÔ±£¬Ô±¾Ó¦µ±ÏÔʾµÇ¼ʧ°Ü£¬µ«Êǽá¹ûÈ´Êǵǽ³É¹¦£¬ÓÉÓÚor '1 = 1 ÒѾ²»ÊÇ»áÔ±ÃûÀïÃæµÄÄÚÈÝÁË£¬Ëü´Ë¿ÌΪSQL Óï¾äÀïÃæµÄÄÚÈÝ£¬²»¹ÜÔõÑù£¬½á¹û¶¼Îªtrue,µÈÓÚ²»ÏûÊäÃÜÂ붼¿ÉÒԵǼ¡£ÕâÀï¾Í·¢ÉúÁËƽ°²ÎÊÌâ¡£
½â¾ö°ì·¨
1. PrepareStatement
//×¢Èëʽ´íÎó public static void test3(String name,String passward){ Connection connection = null; PreparedStatement st = null; ResultSet rs = null; try { // ¼ÓÔØJDBC Çý¶¯ Class.forName("com.mysql.jdbc.Driver"); // »ñµÃJDBC Á¬½Ó String url = "jdbc:mysql://localhost:3306/tulun"; connection = DriverManager.getConnection(url,"root","123456"); //´´Á¢Ò»¸ö²éѯÓï¾ä String sql1 = "select * from student where name = ? and passward = ?"; st = connection.prepareStatement(sql1); st.setString(1,name); st.setString(2,passward); //sqlÓï¾ä //String sql = "select * from student where name = '"+ name+"' and passward = '"+passward+"'"; rs = st.executeQuery(); if(rs.next()){ System.out.println("µÇ¼³É¹¦¡£"); }else{ System.out.println("µÇ¼ʧ°Ü¡£"); } } catch (Exception e) { e.printStackTrace(); }finally{ try { connection.close(); st.close(); rs.close(); } catch (SQLException e) { e.printStackTrace(); } } } public static void main(String[] args) { test3("wjm3' or '1 = 1","151515"); }
ÉÏÃæÕâ¸ö´úÂë²»¹Üname ²ÎÊýÊÇɶ£¬Ëü¶¼Ö»ÊÇname ²ÎÊý£¬²»»á×÷ΪsqlÓï¾äµÄÒ»²¿·ÖÀ´Ê©ÐУ¬Ò»ÑùÀ´ËµÒý¼öÕâ¸ö°ì·¨£¬±ÈÁ¦Æ½°²¡£
2.±¾È˶¨Ò庯ÊýֹͣУÑé
- ÕûÀíÊý¾Ýʹ֮±äµÃÓÐЧ
- »Ø¾øÒÑÖªµÄ²»·¨ÊäÈë
- Ö»½ÓÊÜÒÑÖªµÄºÏ·¨ÊäÈë
ËùÒÔ¼ÙÈçÏëÒª»ñµÃ×îºÃµÄƽ°²×´Ì¬£¬µ±Ç°×îºÃµÄ½â¾ö·½·¨¾ÍÊǶԻáÔ±Ìá½»»òÕß´ó¸Å¸Ä¶¯µÄÊý¾ÝÍ£Ö¹¼ò±ã·ÖÀ࣬Àë±ðÀûÓÃÕýÔò±í´ïʽÀ´¶Ô»áÔ±¹©¸øµÄÊäÈëÊý¾ÝÍ£Ö¹ÑÏÀ÷µÄ¼ì²âºÍÑéÖ¤¡£
ÆäʵֻÐèÒª¹ýÂ˲»·¨µÄ·ûºÅ×éºÏ¾Í¿ÉÒÔ×èÄÓÒÑÖªÇéÊƵĹ¥»÷£¬²¢ÇÒ¼ÙÈç·¢Ã÷¸üÐµĹ¥»÷·ûºÅ×éºÏ£¬Ò²¿ÉÒÔ½«ÕâЩ·ûºÅ×éºÏÔö¼Ó½øÀ´£¬Á¬Ðø·À±¸ÐµĹ¥»÷¡£ÌØÊâÊÇ¿Õ¸ñ·ûºÅºÍÆä·¢ÉúÀ×ͬ×÷Óõķָô¹Ø¼ü×ֵķûºÅ£¬ÀýÈç¡°/**/¡±£¬¼ÙÈçÄܳɹ¦¹ýÂËÕâÖÖ·ûºÅ£¬ÄÇôÓÐÐí¶à×¢Èë¹¥»÷½«²»¿Ë²»¼°·¢Éú£¬²¢ÇÒͬʱҲҪ¹ýÂËËüÃǵÄÊ®Áù½øÖƱíʾ¡°£¥XX¡±¡£
ÒÔÉϾÍÊÇmysqlÓï¾äµÄ×¢Èë´íÎóÊÇɶ£¿µÄ¾ßÌåÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢°Ù·Ö°ÙÔ´ÂëÍøÆäËüÏà¹ØÎÄÕ£¡
¸ÐлÄúµÄÖ§³Ö£¬ÎÒ»á¼ÌÐøŬÁ¦µÄ!
´ò¿ªÖ§¸¶±¦É¨Ò»É¨£¬¼´¿É½øÐÐɨÂë´òÉÍŶ
°Ù·Ö°ÙÔ´ÂëÍø ½¨Òé´òÉÍ1¡«10Ôª£¬ÍÁºÀËæÒ⣬¸ÐлÄúµÄÔĶÁ£¡