本文探讨了Java EE初学者如何通过使用PreparedStatement避免SQL注入问题,提供了示例代码,对比了与ASP.NET中参数化查询的相似之处。
I am new to JavaEE and trying to learn to make a simple login page by checking the database. Here is the code sample:
ResultSet result=null;
Statement s = (Statement) con.createStatement();
result=s.executeQuery("select username from Table where ID="+id and " password="+password);
It should be vulnerable to SQL injection right? I would do this by using parametrized query in ASP.NET like the following:
SqlConnection con = new SqlConnection();
SqlCommand cmd=new SqlCommand("select username from Table where ID=@id and password=@password",con);
cmd.Parameters.AddWithValue("@id", id);
cmd.Parameters.AddWithValue("@password", password);
Is there any way to use parametrized queries in java like this? Can anyone use that query in parametrized form to avoid SQL injection?
Thanks
解决方案
Yes you can do this with PreparedStatement; for example:
PreparedStatement preparedStatement = con.PreparedStatement(
"SELECT * FROM MY_TABLE WHERE condition1 = ? AND condition2 = ?");
preparedStatement.setString(1,condition1_value);
preparedStatement.setString(2,condition2_value);
ResultSet rs = preparedStatement.executeQuery();
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
