mysqlÓï¾äµÄ×¢Èë²î´íÓÐÄÄЩ£¿
mysqlÓï¾äµÄ×¢Èëʽ´íÎó¾ÍÊÇÀûÓÃijЩÊý¾Ý¿âµÄÍⲿ½Ó¿Ú½«»áÔ±Êý¾Ý²åÈ뵽ʵ¼ÊµÄSQL˵»°°ø±ß£¬´Ó¶øµ½´ïÈëÇÖÊý¾Ý¿âÄËÖÁ²Ù×ÝϵͳµÄÄ¿µÄ¡£¹¥»÷ÕßÀûÓÃËüÀ´¶ÁÈ¡¡¢Ð޸ĻòÕßɾ³ýÊý¾Ý¿âÄÚµÄÊý¾Ý£¬»ñµÃÊý¾Ý¿âÖлáÔ±²ÄÁϺÍÃÜÂëµÈÐÅÏ¢£¬¸üÑϾþ»á»ñµÃÖÎÀíÔ±µÄȨÏÞ¡£
£¨Òý¼ö½Ì³Ì£ºmysqlÊÓƵ½Ì³Ì£©
sql×¢Èëʽ´íÎó(SQL injection)
SQL Injection ¾ÍÊÇÀûÓÃijЩÊý¾Ý¿âµÄÍⲿ½Ó¿Ú½«»áÔ±Êý¾Ý²åÈ뵽ʵ¼ÊµÄÊý¾Ý¿â²Ù×Ý˵»°£¨SQL£©°ø±ß£¬´Ó¶øµ½´ïÈëÇÖÊý¾Ý¿âÄËÖÁ²Ù×ÝϵͳµÄÄ¿µÄ¡£ËüµÄ·¢ÉúÖ÷Èç¹ûÓÉÓÚ³ÌÐò¶Ô»áÔ±ÊäÈëµÄÊý¾ÝûÓÐÍ£Ö¹ÑÏÀ÷µÄ¹ýÂË£¬ÖÂʹ²»·¨Êý¾Ý¿â²éѯÓï¾äµÄÊ©ÐС£
¡¶ÉîÈëdz³ö MySQL¡·
Σº¦
¹¥»÷ÕßÀûÓÃËüÀ´¶ÁÈ¡¡¢Ð޸ĻòÕßɾ³ýÊý¾Ý¿âÄÚµÄÊý¾Ý£¬»ñµÃÊý¾Ý¿âÖлáÔ±²ÄÁϺÍÃÜÂëµÈÐÅÏ¢£¬¸üÑϾþµÄ¾ÍÊÇ»ñµÃÖÎÀíÔ±µÄȨÏÞ¡£
Àý×Ó
//×¢Èëʽ´íÎó
public static void test3(String name,String passward){
Connection connection = null;
Statement st = null;
ResultSet rs = null;
try {
// ¼ÓÔØJDBC Çý¶¯
Class.forName("com.mysql.jdbc.Driver");
// »ñµÃJDBC Á¬½Ó
String url = "jdbc:mysql://localhost:3306/tulun";
connection = DriverManager.getConnection(url,"root","123456");
//´´Á¢Ò»¸ö²éѯÓï¾ä
st = connection.createStatement();
//sqlÓï¾ä
String sql = "select * from student where name = '"+ name+"' and passward = '"+passward+"'";
rs = st.executeQuery(sql);
if(rs.next()){
System.out.println("µÇ¼³É¹¦¡£");
}else{
System.out.println("µÇ¼ʧ°Ü¡£");
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
test3("wjm3' or '1 = 1","151515");
}Êý¾Ý¿âÐÅÏ¢
ÈçÉÏÃæµÄ´úÂëËùʾ£¬»áÔ±ÃûΪwjm3¡¯ or '1 = 1£¬ÃÜÂëΪ151515£¬´ÓÊý¾Ý¿âÖпÉÒÔ¿´³öÎÒÃÇûÓÐÕâÑùµÄ»áÔ±£¬Ô±¾Ó¦µ±ÏÔʾµÇ¼ʧ°Ü£¬µ«Êǽá¹ûÈ´Êǵǽ³É¹¦£¬ÓÉÓÚor '1 = 1 ÒѾ²»ÊÇ»áÔ±ÃûÀïÃæµÄÄÚÈÝÁË£¬Ëü´Ë¿ÌΪSQL Óï¾äÀïÃæµÄÄÚÈÝ£¬²»¹ÜÔõÑù£¬½á¹û¶¼Îªtrue,µÈÓÚ²»ÏûÊäÃÜÂ붼¿ÉÒԵǼ¡£ÕâÀï¾Í·¢ÉúÁËƽ°²ÎÊÌâ¡£
½â¾ö°ì·¨
1. PrepareStatement
//×¢Èëʽ´íÎó
public static void test3(String name,String passward){
Connection connection = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
// ¼ÓÔØJDBC Çý¶¯
Class.forName("com.mysql.jdbc.Driver");
// »ñµÃJDBC Á¬½Ó
String url = "jdbc:mysql://localhost:3306/tulun";
connection = DriverManager.getConnection(url,"root","123456");
//´´Á¢Ò»¸ö²éѯÓï¾ä
String sql1 = "select * from student where name = ? and passward = ?";
st = connection.prepareStatement(sql1);
st.setString(1,name);
st.setString(2,passward);
//sqlÓï¾ä
//String sql = "select * from student where name = '"+ name+"' and passward = '"+passward+"'";
rs = st.executeQuery();
if(rs.next()){
System.out.println("µÇ¼³É¹¦¡£");
}else{
System.out.println("µÇ¼ʧ°Ü¡£");
}
} catch (Exception e) {
e.printStackTrace();
}finally{
try {
connection.close();
st.close();
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
public static void main(String[] args) {
test3("wjm3' or '1 = 1","151515");
}ÉÏÃæÕâ¸ö´úÂë²»¹Üname ²ÎÊýÊÇɶ£¬Ëü¶¼Ö»ÊÇname ²ÎÊý£¬²»»á×÷ΪsqlÓï¾äµÄÒ»²¿·ÖÀ´Ê©ÐУ¬Ò»ÑùÀ´ËµÒý¼öÕâ¸ö°ì·¨£¬±ÈÁ¦Æ½°²¡£
2.±¾È˶¨Ò庯ÊýֹͣУÑé
- ÕûÀíÊý¾Ýʹ֮±äµÃÓÐЧ
- »Ø¾øÒÑÖªµÄ²»·¨ÊäÈë
- Ö»½ÓÊÜÒÑÖªµÄºÏ·¨ÊäÈë
ËùÒÔ¼ÙÈçÏëÒª»ñµÃ×îºÃµÄƽ°²×´Ì¬£¬µ±Ç°×îºÃµÄ½â¾ö·½·¨¾ÍÊǶԻáÔ±Ìá½»»òÕß´ó¸Å¸Ä¶¯µÄÊý¾ÝÍ£Ö¹¼ò±ã·ÖÀ࣬Àë±ðÀûÓÃÕýÔò±í´ïʽÀ´¶Ô»áÔ±¹©¸øµÄÊäÈëÊý¾ÝÍ£Ö¹ÑÏÀ÷µÄ¼ì²âºÍÑéÖ¤¡£
ÆäʵֻÐèÒª¹ýÂ˲»·¨µÄ·ûºÅ×éºÏ¾Í¿ÉÒÔ×èÄÓÒÑÖªÇéÊƵĹ¥»÷£¬²¢ÇÒ¼ÙÈç·¢Ã÷¸üÐµĹ¥»÷·ûºÅ×éºÏ£¬Ò²¿ÉÒÔ½«ÕâЩ·ûºÅ×éºÏÔö¼Ó½øÀ´£¬Á¬Ðø·À±¸ÐµĹ¥»÷¡£ÌØÊâÊÇ¿Õ¸ñ·ûºÅºÍÆä·¢ÉúÀ×ͬ×÷Óõķָô¹Ø¼ü×ֵķûºÅ£¬ÀýÈç¡°/**/¡±£¬¼ÙÈçÄܳɹ¦¹ýÂËÕâÖÖ·ûºÅ£¬ÄÇôÓÐÐí¶à×¢Èë¹¥»÷½«²»¿Ë²»¼°·¢Éú£¬²¢ÇÒͬʱҲҪ¹ýÂËËüÃǵÄÊ®Áù½øÖƱíʾ¡°£¥XX¡±¡£
ÒÔÉϾÍÊÇmysqlÓï¾äµÄ×¢Èë´íÎóÊÇɶ£¿µÄ¾ßÌåÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢°Ù·Ö°ÙÔ´ÂëÍøÆäËüÏà¹ØÎÄÕ£¡
¸ÐлÄúµÄÖ§³Ö£¬ÎÒ»á¼ÌÐøŬÁ¦µÄ!
´ò¿ªÖ§¸¶±¦É¨Ò»É¨£¬¼´¿É½øÐÐɨÂë´òÉÍŶ
°Ù·Ö°ÙÔ´ÂëÍø ½¨Òé´òÉÍ1¡«10Ôª£¬ÍÁºÀËæÒ⣬¸ÐлÄúµÄÔĶÁ£¡