ΪʲôҪʼÖÕʹÓÃPreparedStatement´úÌæStatement?
2007-11-10 21:34:46
ÔÚJDBCÓ¦ÓÃÖÐ,Èç¹ûÄãÒѾÊÇÉÔÓÐˮƽ¿ª·¢Õß,Äã¾ÍÓ¦¸ÃʼÖÕÒÔPreparedStatement´úÌæStatement.Ò²¾ÍÊÇ˵,ÔÚÈκÎʱºò¶¼²»ÒªÊ¹ÓÃStatement. »ùÓÚÒÔϵÄÔÒò: Ò».´úÂëµÄ¿É¶ÁÐԺͿÉά»¤ÐÔ. ËäÈ»ÓÃPreparedStatementÀ´´úÌæStatement»áʹ´úÂë¶à³ö¼¸ÐÐ,µ«ÕâÑùµÄ´úÂëÎÞÂ۴ӿɶÁÐÔ»¹ÊÇ¿Éά»¤ÐÔÉÏÀ´Ëµ.¶¼±ÈÖ±½ÓÓÃStatementµÄ´úÂë¸ßºÜ¶àµµ´Î: stmt.executeUpdate("insert into tb_name (col1,col2,col2,col4) values ('"+var1+"','"+var2+"',"+var3+",'"+var4+"')"); perstmt = con.prepareStatement("insert into tb_name (col1,col2,col2,col4) values (?,?,?,?)"); perstmt.setString(1,var1); perstmt.setString(2,var2); perstmt.setString(3,var3); perstmt.setString(4,var4); perstmt.executeUpdate(); ²»ÓÃÎÒ¶à˵,¶ÔÓÚµÚÒ»ÖÖ·½·¨.±ð˵ÆäËûÈËÈ¥¶ÁÄãµÄ´úÂë,¾ÍÊÇÄã×Ô¼º¹ýÒ»¶Îʱ¼äÔÙÈ¥¶Á,¶¼»á¾õµÃÉËÐÄ. ¶þ.PreparedStatement¾¡×î´ó¿ÉÄÜÌá¸ßÐÔÄÜ. ÿһÖÖÊý¾Ý¿â¶¼»á¾¡×î´óŬÁ¦¶ÔÔ¤±àÒëÓï¾äÌṩ×î´óµÄÐÔÄÜÓÅ»¯.ÒòΪԤ±àÒëÓï¾äÓпÉÄܱ»Öظ´µ÷ÓÃ.ËùÒÔÓï¾äÔÚ±»DBµÄ±àÒëÆ÷±àÒëºóµÄÖ´ÐдúÂë±»»º´æÏÂÀ´,ÄÇôÏ´ε÷ÓÃʱֻҪÊÇÏàͬµÄÔ¤±àÒëÓï¾ä¾Í²»ÐèÒª±àÒë,Ö»Òª½«²ÎÊýÖ±½Ó´«Èë±àÒë¹ýµÄÓï¾äÖ´ÐдúÂëÖÐ(Ï൱ÓÚÒ»¸öºÊý)¾Í»áµÃµ½Ö´ÐÐ.Õâ²¢²»ÊÇ˵ֻÓÐÒ»¸öConnectionÖжà´ÎÖ´ÐеÄÔ¤±àÒëÓï¾ä±»»º´æ,¶øÊǶÔÓÚÕû¸öDBÖÐ,Ö»ÒªÔ¤±àÒëµÄÓï¾äÓï·¨ºÍ»º´æÖÐÆ¥Åä.ÄÇôÔÚÈκÎʱºò¾Í¿ÉÒÔ²»ÐèÒªÔٴαàÒë¶ø¿ÉÒÔÖ±½ÓÖ´ÐÐ.¶østatementµÄÓï¾äÖÐ,¼´Ê¹ÊÇÏàͬһ²Ù×÷,¶øÓÉÓÚÿ´Î²Ù×÷µÄÊý¾Ý²»Í¬ËùÒÔʹÕû¸öÓï¾äÏàÆ¥ÅäµÄ»ú»á¼«Ð¡,¼¸ºõ²»Ì«¿ÉÄÜÆ¥Åä.±ÈÈç: insert into tb_name (col1,col2) values ('11','22'); insert into tb_name (col1,col2) values ('11','23'); ¼´Ê¹ÊÇÏàͬ²Ù×÷µ«ÒòΪÊý¾ÝÄÚÈݲ»Ò»Ñù,ËùÒÔÕû¸ö¸öÓï¾ä±¾Éí²»ÄÜÆ¥Åä,ûÓлº´æÓï¾äµÄÒâÒå.ÊÂʵÊÇûÓÐÊý¾Ý¿â»á¶ÔÆÕͨÓï¾ä±àÒëºóµÄÖ´ÐдúÂ뻺´æ. µ±È»²¢²»ÊÇËùÒÔÔ¤±àÒëÓï¾ä¶¼Ò»¶¨»á±»»º´æ,Êý¾Ý¿â±¾Éí»áÓÃÒ»ÖÖ²ßÂÔ,±ÈÈçʹÓÃƵ¶ÈµÈÒòËØÀ´¾ö¶¨Ê²Ã´Ê±ºò²»ÔÙ»º´æÒÑÓеÄÔ¤±àÒë½á¹û.ÒÔ±£´æÓиü¶àµÄ¿Õ¼ä´æ´¢ÐµÄÔ¤±àÒëÓï¾ä. Èý.×îÖØÒªµÄÒ»µãÊǼ«´óµØÌá¸ßÁË°²È«ÐÔ. ¼´Ê¹µ½Ä¿Ç°ÎªÖ¹,ÈÔÓÐһЩÈËÁ¬»ù±¾µÄ¶ñÒåSQLÓï·¨¶¼²»ÖªµÀ. String sql = "select * from tb_name where name= '"+varname+"' and passwd='"+varpasswd+"'"; Èç¹ûÎÒÃÇ°Ñ[' or '1' = '1]×÷Ϊvarpasswd´«Èë½øÀ´.Óû§ÃûËæÒâ,¿´¿´»á³ÉΪʲô? select * from tb_name = 'ËæÒâ' and passwd = '' or '1' = '1'; ÒòΪ'1'='1'¿Ï¶¨³ÉÁ¢,ËùÒÔ¿ÉÒÔÈκÎͨ¹ýÑéÖ¤.¸üÓÐÉõÕß: °Ñ[';drop table tb_name;]×÷Ϊvarpasswd´«Èë½øÀ´,Ôò: select * from tb_name = 'ËæÒâ' and passwd = '';drop table tb_name;ÓÐЩÊý¾Ý¿âÊDz»»áÈÃÄã³É¹¦µÄ,µ«Ò²ÓкܶàÊý¾Ý¿â¾Í¿ÉÒÔʹÕâЩÓï¾äµÃµ½Ö´ÐÐ. ¶øÈç¹ûÄãʹÓÃÔ¤±àÒëÓï¾ä.Äã´«ÈëµÄÈκÎÄÚÈݾͲ»»áºÍÔÀ´µÄÓï¾ä·¢ÉúÈκÎÆ¥ÅäµÄ¹Øϵ.ֻҪȫʹÓÃÔ¤±àÒëÓï¾ä,Äã¾ÍÓò»×ŶԴ«ÈëµÄÊý¾Ý×öÈκιýÂÇ.¶øÈç¹ûʹÓÃÆÕͨµÄstatement,ÓпÉÄÜÒª¶Ôdrop,;µÈ×ö·Ñ¾¡ÐÄ»úµÄÅжϺ͹ýÂÇ. |
Icansoft
²©¿Íͳ¼ÆÐÅÏ¢
ÈÈÃÅÎÄÕÂ
×îÐÂÆÀÂÛ
ÓÑÇéÁ´½Ó
