English 中文(简体)
如何使用SQL查询转义用户提供的参数?
原标题:How to escape user-supplied parameters with a SQL query?

尝试开始使用JDBC(使用Jetty+MySQL)。我不知道如何在SQL语句中转义用户提供的参数。示例:

String username = getDangerousValueFromUser();
Statement stmt = conn.createStatement();
stmt.execute("some statement where username =  " + username + " "));

在与语句一起使用之前,我们如何转义“username”?

问题回答

使用准备好的语句

例如:

con.prepareStatement("update Orders set pname = ? where Prod_Id = ?");
pstmt.setInt(2, 100);
pstmt.setString(1, "Bob");
pstmt.executeUpdate();

它将阻止原始SQL注入

如果要转义sql字符串,请检查StringEscapeUtils.escapeSql()。请注意,此方法是在Commons Lang 3中已弃用

另请参阅





相关问题
Spring Properties File

Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...

Logging a global ID in multiple components

I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...

Java Library Size

If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...

How to get the Array Class for a given Class in Java?

I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....

SQLite , Derby vs file system

I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...

热门标签