Judgment of Java interview question parsing and prevention of SQL injection

This paper mainly studies a common question in Java interview questions, the problem of judging and preventing SQL injection. The details are as follows.

SQL injection is the most commonly used attack method by hackers at present. Its principle is to forcibly transfer from the page to the background by using the analysis of special identifiers in the database. Change the SQL statement structure to expand permissions, create high-level users, forcibly modify user data and so on.

How to judge whether it is injected by SQL?

Through the principle of SQL injection, we know that judging the data that can be passed in by SQL injection through the page, the background should not believe any data passed in from the background, especially special integer parameters and special character parameters!

Preventing SQL injection is also very simple

1. Check the variable data type and format

As long as the variable is in a fixed format, it should be checked in strict accordance with the fixed format before the SQL statement is executed to ensure that the variable is in the expected format!

2. Filter special symbols

For variables whose fixed format cannot be determined, special symbols must be transferred or transferred. There is ambiguity in one side star SQL.

When we upload pictures

There is no "/". Enctype = "multipart / form data" in the form means to set the mime code of the form. By default, this encoding format is application / x-www-form-urlencoded and cannot be used for file upload; Only when multipart / form - data is used can the file data be transferred completely, and the following operations can be performed

3. Bind variables and use precompiled statements

In fact, using precompiled statements to bind variables is the best way to prevent SQL injection, and the semantics of precompiled SQL statements will not change. In SQL statements, variables use question marks? Said that even if hackers have great skills, they can not change the format of SQL statements, and fundamentally put an end to SQL injection attacks.

4. Database information encryption security

Sometimes the database information is leaked, we should encrypt the password and other information of the database (MD5, etc.), so that the loss of information leakage can be controlled within a certain range.

Pay attention when using JSP

1. Do not open a production environment summary webserver error display at will.

2. Never trust the variable input from the client. Variables with fixed format must strictly check the corresponding format. Variables without fixed format need to filter and escape special characters such as quotation marks.

3. Use precompiled SQL statements that bind variables

4. Do a good job in database account authority management

5. Strictly encrypt the user's confidential information

A good program must pay attention to security, otherwise it is only suitable for practice.