This article mainly studies a relatively common question in Java interview questions, and issues of judging and preventing SQL injection. The details are as follows.
SQL injection is the most commonly used attack method for hackers at present. Its principle is to use the database to parse special identifiers to forcibly pass them from the page to the background. Change the SQL statement structure, achieve extended permissions, create high-level users, forcibly modify user information, and other operations.
Through the principle of SQL injection, we know that judging the data that SQL injection can be passed through the page, the background should not believe in any data passed from the background, especially special integer parameters and special character parameters!
1. Check the variable data type and format
As long as it is a variable in a fixed format, before the SQL statement is executed, it should be strictly checked in the fixed format to ensure that the variable is the format we expected!
2. Filter special symbols
For variables that cannot be determined in a fixed format, special symbols must be used to process them or transfer them. There is ambiguity in SQL.
When we upload pictures
enctype=/”multipart/form-data/”enctype=”multipart/form-data”
Without "/", the enctype="multipart/form-data" in the form means to set the MIME encoding of the form. By default, this encoding format is application/x-www-form-urlencoded, which cannot be used for file upload; only by using multipart/form-data can the file data be fully passed and the following operations are performed.
3. Bind variables and use precompiled statements
In fact, using precompiled statements to bind variables is the best way to prevent SQL injection, and the semantics of using precompiled SQL statements will not change. In SQL statements, use a question mark for variables? It means that no matter how capable a hacker is, he cannot change the format of SQL statements, and fundamentally prevents the occurrence of SQL injection attacks.
4. Database information encryption security
Sometimes when the database information is leaked, we should encrypt the database password and other information (MD5, etc.), so that the information is leaked and the losses can be controlled within a certain range.
1. Do not open a production environment to summarize the error display of Webserver.
2. Never believe in variable input from the user side. Variables with fixed formats must be strictly checked. Variables without fixed formats need to perform necessary filtering and escape special characters such as quotes.
3. Use precompiled SQL statements that bind variables
4. Do a good job in database account permission management
5. Strictly encrypt and process user confidential information
A good program must pay attention to safety, otherwise it is only suitable for practicing.
The above is all the content of this article on the analysis of Java interview questions and preventing SQL injection. I hope it will be helpful to everyone. Interested friends can continue to refer to other related topics on this site. If there are any shortcomings, please leave a message to point it out. Thank you friends for your support for this site!