第一种采用预编译语句集,它内置了处理SQL注入的能力,只要使用它的setString方法传值即可:
- String sql= "select * from users where username=? and password=?;
- PreparedStatement preState = conn.prepareStatement(sql);
- preState.setString(1, userName);
- preState.setString(2, password);
- ResultSet rs = preState.executeQuery();
String sql= "select * from users where username=? and password=?; PreparedStatement preState = conn.prepareStatement(sql); preState.setString(1, userName); preState.setString(2, password); ResultSet rs = preState.executeQuery();
第二种是采用正则表达式将包含有 单引号('),分号(;) 和 注释符号(--)的语句给替换掉来防止SQL注入:
- public static String TransactSQLInjection(String str)
- {
- return str.replaceAll(".*([';]+|(--)+).*", " ");
- }
- userName=TransactSQLInjection(userName);
- password=TransactSQLInjection(password);
- String sql="select * from users where username='"+userName+"' and password='"+password+"' "
- Statement sta = conn.createStatement();
- ResultSet rs = sta.executeQuery(sql);
public static String TransactSQLInjection(String str) { return str.replaceAll(".*([';]+|(--)+).*", " "); } userName=TransactSQLInjection(userName); password=TransactSQLInjection(password); String sql="select * from users where username='"+userName+"' and password='"+password+"' " Statement sta = conn.createStatement(); ResultSet rs = sta.executeQuery(sql);
安全性:Java只要使用PreparedStatement,就不会存在注入问题。至今还没遇到用了PreparedStatement还会被注入的情况。