mysql> select * from t_u -> ; +----+----------+------+------+ | id | username | pwd | age | +----+----------+------+------+ | 1 | zs | test | 22 | +----+----------+------+------+ 1 row in set (0.14 sec) mysql> update t_u set pwd = 'ddd\' or \'1\'=\'1' where id =1; Query OK, 1 row affected (0.39 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> select * from t_u; +----+----------+----------------+------+ | id | username | pwd | age | +----+----------+----------------+------+ | 1 | zs | ddd' or '1'='1 | 22 | +----+----------+----------------+------+ 1 row in set (0.06 sec)
java:
package web; import java.io.IOException; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import util.DBUtil; public class LoginServletSafe extends HttpServlet{ public void service(HttpServletRequest req, HttpServletResponse res) throws ServletException,IOException{ System.out.println("========================"); Connection conn =null; try{ conn = DBUtil.getConnection(); String username = req.getParameter("username"); String pwd =req.getParameter("pwd"); String sql="select * from t_u where username = ? and pwd = ?"; System.out.println(sql); PreparedStatement prep= conn.prepareStatement(sql); prep.setString(1, username); prep.setString(2, pwd); //System.out.println("pwd的值:"+pwd); //若将pwd的值定义为:ddd' or '1'='1 //通过preparedStatement预编译后,执行的SQL语句将是: //select * from t_u where name = 'zs' // and pwd ='ddd\' or \'1\'=\'1' /**实现机制不同,注入只对sql语句的准备(编译?)过程有破坏作用 而ps已经准备好了,执行阶段只是把输入串作为数据处理,不再 需要对sql语句进行解析,准备,因此也就避免了sql注入问题. *PreparedStatement可以在传入sql后,执行语句前,给参数赋值, *避免了因普通的拼接sql字符串语句所带来的安全问题,而且准备sql *和执行sql是在两个语句里面完成的,也提高了语句执行的效率 */ ResultSet rst= prep.executeQuery(); System.out.println("rst: "+rst); //System.out.println("rst: "+rst.getStatement()); //判断结果集rs是否有记录,并且将指针后移一位 //因为前面的select语句是限定的条件,只有满足了条件才能有记录产生 if(rst.next()){ System.out.println("success"); }else{ System.out.println("fail"); } }catch(Exception e){ e.printStackTrace(); throw new ServletException(e); } } }
然后在JSP页面中,name的取值为zs,pwd的取值为:ddd' or '1'='1
提交后,控制台打印出:success,就表示,pwd的值是当成参数值来传递了,相当于执行了以下的SQL语句。
mysql> select * from t_u where username='zs' and pwd = 'ddd\' or \'1\'=\'1'; +----+----------+----------------+------+ | id | username | pwd | age | +----+----------+----------------+------+ | 1 | zs | ddd' or '1'='1 | 22 | +----+----------+----------------+------+ 1 row in set (0.00 sec)
验证完毕,一直纠结网络上也没有这么的详细的解释,自己弄明白后,豁然开朗。^_^