Preface

To demonstrate prevention sql Injection problem , We use user login to enter user name and password to explain and solve problems .

The database table is shown in the figure ：

One 、 Problem explanation

First use the commonly used Statement

  String name="tom";
//        String psw="123456";
        String psw="' or '1'='1";
//         Before solving the problem 
//        3. Definition sql
        String sql="SELECT * FROM user_info where name='"+name+"' and password='"+psw+"'";
 Statement stmt= (Statement) conn.createStatement();

        //5. perform sql
        ResultSet rs =  stmt.executeQuery(sql);

Login judgment code

if(rs.next()){
            System.out.println(" Landing successful ~");

            
        }else{
            System.out.println(" Login failed ~");
        }

  If the password is ' or '1'='1 , Execution results

We will find that , Database table tom Your password is not  ' or '1'='1, But you can login successfully ！ Why is that ？

Let's print sql Statement analysis reason

System.out.println(sql);

Running results

  Here we can see where Conditions ：name=‘tom’ It's true password=‘’ For false ‘1’=‘1’ It's true .

  Can be judged really and false or really =（ false or really ）= really . The result is always true , So you can log in successfully ！

  But how to solve this problem ！！！ If you use this, you can log in to someone else's account at will .

Two 、 resolvent

We just need to use PreparedStatement solve Escape sensitive characters

Code ：

 String sql="select * from user_info where name=? and password=?";

        PreparedStatement pstmt=conn.prepareStatement(sql);
        pstmt.setString(1,name);
        pstmt.setString(2,psw);
        ResultSet rs=pstmt.executeQuery();

Now the running result

  Use here The password for ' or '1'='1 Login success will not be displayed . Why is that ？

  Look at the above first sql Output select * from user_info where name=? and password=?

  It first escapes sensitive characters

hold ' or '1'='1 Escape character \' or \'1\'=\'1 Into text form therefore sql Statement will not find the result

That's it sql Injection problem

summary

This is also a problem that needs to be paid attention to when you do your own projects in the later stage ,PreparedStatement The use of knowledge points , Otherwise, you will be logged in maliciously .