SQL注入攻擊

什么是SQL注入

SQL注入：利用現有應用程序，將（惡意）的SQL命令注入到后臺數據庫執行一些惡意的操作。

造成SQL注入的原因是因為程序沒有有效過濾用戶的輸入，使攻擊者成功的向服務器提交惡意的SQL查詢代碼，程序在接收后錯誤的將攻擊者的輸入作為查詢語句的一部分執行，導致原始的查詢邏輯被改變，額外的執行了攻擊者精心構造的惡意代碼

SQL注入防攻擊手段

不要使用拼接SQL語句方式、最好使用預編譯方式，在mybatis編寫sql語句的時候，最好使用?傳參數方式，不要使用#傳參數，因為#傳參數方式，可能會受到sql語句攻擊。?

MyBatis #與?區別

#{}: 解析為一個 JDBC 預編譯語句（prepared statement）的參數標記符，一個 #{ } 被解析為一個參數占位符,可以防止SQL注入問題。

${}: 僅僅為一個純碎的 string 替換，在動態 SQL 解析階段將會進行變量替換。?

CREATE TABLE `user_info` (`id` int(11) NOT NULL AUTO_INCREMENT,`userName` varchar(255) DEFAULT NULL,`password` varchar(255) DEFAULT NULL,PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;insert into user_info(username,password) values('leon','123456');localhost:8080/login?userName=leon&password=8888localhost:8080/login?userName=leon&password=123456 package com.learn.controller;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;import com.learn.entity.UserEntity; import com.learn.mapper.UserMapper;@RestController public class LoginController {@Autowiredprivate UserMapper userMapper;@RequestMapping("/login")public String login(UserEntity userEntity) {System.out.println("賬號密碼信息:userEntity:" + userEntity.toString());UserEntity login = userMapper.login(userEntity);return login == null ? "登陸失敗!" : "登陸成功!";}} package com.learn.mapper;import org.apache.ibatis.annotations.Select;import com.learn.entity.UserEntity;public interface UserMapper {@Select(" SELECT * FROM user_info where userName=#{userName} and password=#{password}")public UserEntity login(UserEntity userEntity);} package com.learn.entity;public class UserEntity {private Long id;private String userName;private String password;/*** @return the id*/public Long getId() {return id;}/*** @param id* the id to set*/public void setId(Long id) {this.id = id;}/*** @return the userName*/public String getUserName() {return userName;}/*** @param userName* the userName to set*/public void setUserName(String userName) {this.userName = userName;}/*** @return the password*/public String getPassword() {return password;}/*** @param password* the password to set*/public void setPassword(String password) {this.password = password;}/** (non-Javadoc)* * @see java.lang.Object#toString()*/@Overridepublic String toString() {return "UserEntity [id=" + id + ", userName=" + userName + ", password=" + password + "]";}} package com.learn;import org.mybatis.spring.annotation.MapperScan; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.web.servlet.ServletComponentScan;@MapperScan(basePackages = { "com.learn.mapper" }) @SpringBootApplication @ServletComponentScan public class App {public static void main(String[] args) {SpringApplication.run(App.class, args);}} spring.datasource.url=jdbc:mysql://localhost:3306/test spring.datasource.username=root spring.datasource.password=123456 spring.datasource.driver-class-name=com.mysql.jdbc.Driver <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.learn</groupId><artifactId>springboot-web</artifactId><version>0.0.1-SNAPSHOT</version><packaging>war</packaging><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.12.RELEASE</version></parent><dependencies><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>1.1.1</version></dependency><!-- mysql 依賴 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId></dependency><!-- SpringBoot 對lombok 支持 --><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><!-- SpringBoot web 核心組件 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-tomcat</artifactId></dependency><!-- SpringBoot 外部tomcat支持 --><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-jasper</artifactId></dependency><!-- springboot-log4j --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-log4j</artifactId><version>1.3.8.RELEASE</version></dependency><!-- springboot-aop 技術 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId></dependency><!-- https://mvnrepository.com/artifact/commons-lang/commons-lang --><dependency><groupId>commons-lang</groupId><artifactId>commons-lang</artifactId><version>2.6</version></dependency></dependencies> </project>

?

總結

以上是生活随笔為你收集整理的使用#传递参数防御SQL注入攻击的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。