Short, for impatients:Use Statement The lines of the request and the values shall be added.Use PreparedStatement There is a request template and the data are included in it, reflecting the rubber.The following are more detailed examples.Entering.We have such a simple data table.+-----------+----+--------+
| userName | id | pass |
+-----------+----+--------+
| admin | 1 | admin |
| user | 2 | pass |
| chuchelo | 3 | elli |
+-----------+----+--------+
Model Userit will contain a name and password, as well as a method of logic that will ask data from the console.class UserLogin {
String name;
String pass;
public UserLogin() {
}
public void login() {
BufferedReader reader = null;
try{
reader = new BufferedReader(new InputStreamReader(System.in));
System.out.println("user name: ");
name = reader.readLine();
System.out.println("pass: ");
pass = reader.readLine();
} catch (IOException e) {
e.printStackTrace();
}finally {
if (reader != null)
try {
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
Method to work with the usual Statement:UserLogin user = new UserLogin();
user.login();
try (Connection connect = MyConnection.getConnection()){
Statement statement = connect.createStatement();
String query = "SELECT userName, id, pass FROM users WHERE userName='" + user.name + "' AND pass = '" + user.pass + "'";
System.out.println(query);
ResultSet resultSet = statement.executeQuery(query);
while (resultSet.next()){
System.out.printf("User: id=%d name=%s pass=%s\n",
resultSet.getInt("id"),
resultSet.getString("userName"),
resultSet.getString("pass"));
}
MyConnection.closeConnect();
} catch (SQLException e) {
e.printStackTrace();
}
Now, if we start this method and enter the console without injection:user name: admin
pass: admin
User: id=1 name=admin pass=admin
The request itself looks like: SELECT userName, id, pass FROM users WHERE userName='admin' AND pass = 'admin'
If we make a mistake in the name or password, the data will not be released. Now let's try to use the injection.' or'1'='1that is, we shall enter such data:user name: admin' or'1'='1
pass: blabla
We still get the result, even though the password is wrong: User: id=1 name=admin pass=admin
The request itself now looks like: SELECT userName, id, pass FROM users WHERE userName='admin' or'1'='1' AND pass = 'blabla'
expression or'1'='1' Always. true, even without the password, we'll get all the data.How does that protect you? PreparedStatement?Method of obtaining data from the base PreparedStatement:UserLogin user = new UserLogin();
user.login();
try (Connection connect = MyConnection.getConnection()){
String query = "SELECT userName, id, pass FROM users WHERE userName=? AND pass=?";
PreparedStatement statement = connect.prepareStatement(query);
statement.setString(1, user.name);
statement.setString(2, user.pass);
System.out.println(statement);
ResultSet resultSet = statement.executeQuery();
while (resultSet.next()){
System.out.printf("User: id=%d name=%s pass=%s\n",
resultSet.getInt("id"),
resultSet.getString("userName"),
resultSet.getString("pass"));
}
MyConnection.closeConnect();
} catch (SQLException e) {
e.printStackTrace();
}
That's the same thing, just replaced the regular Statement on PreparedStatement. I hope you believe that with the right data, we will get the right result if there is no log in the console:user name: user
pass: pass
User: id=2 name=user pass=pass
Запрос:
SELECT userName, id, pass FROM users WHERE userName='user' AND pass='pass'
Now let's try the injection:user name: user' or'1'='1
pass: inject
And there's no answer because the request looks like: SELECT userName, id, pass FROM users WHERE userName='user' or'1'='1' AND pass='inject'
I mean, all the rubbers were recorded, the injection didn't work. Distinct Statement from PreparedStatement:Statement - You have to take care of the skirts in your request and put them where they need them.PreparedStatement - inserts values in the request and by the methods setString setInt and others. He understands where he wants the skirts and where he doesn't. Accordingly, all input data are circumvented.