Preventing SQL Injection in Java
Contents[hide] |
Status
Released 14 Jan 2008
Overview
As the name implies, SQL injection vulnerabilities allow an attacker to inject (or execute) SQL commands within an application. It is one of the most wide spread and dangerous application vulnerability. The CLASP project provides a good overview of SQL injection.
Example of SQL injection
The following Java servlet code, used to perform a login function, illustrates the vulnerability by accepting user input without performing adequate input validation or escaping meta-characters:
conn = pool.getConnection( ); String sql = "select * from user where username='" + username +"' and password='" + password + "'"; stmt = conn.createStatement(); rs = stmt.executeQuery(sql); if (rs.next()) { loggedIn = true; out.println("Successfully logged in"); } else { out.println("Username and/or password not recognized"); }
It is possible for attackers to provide a username containing SQL meta-characters that subvert the intended function of the SQL statement. For example, by providing a username of:
admin' OR '1'='1
and a blank password, the generated SQL statement becomes:
select * from user where username='admin' OR '1'='1' and password=' '
This allows an attacker to log in to the site without supplying a password, since the ‘OR’ expression is always true. Using the same technique attackers can inject other SQL commands which could extract, modify or delete data within the database.
Attack techniques
For more information on SQL injection attacks see:
- http://www.hdm-stuttgart.de/~ms096/SQLInjectionWhitePaper.pdf
- http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
Defense Strategy
To prevent SQL injection:
- All queries should be parametrized.
- All dynamic data should be explicitly bound to parametrized queries.
- String concatenation should never be used to create dynamic SQL.
For more details, see the OWASP SQL Injection Prevention Cheat Sheet.
Parameterized Queries
All data access techniques provide some means for escaping SQL meta-characters automatically. The following sections detail how to perform input validation and meta-character escaping using popular data access technologies.
Prepared Statements
Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.
Example: ps.1
String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();
Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.
Example: ps.2
String strUserName = request.getParameter("Txt_UserName"); PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");
Stored Procedures
TODO
Hibernate
According to this forum thread hibernate uses prepared statements, so it is protected from direct sql injection, but it could still be vulnerable to injecting HQL statements.
Variable Binding
It is critical to use Bind Variables as mentioned in the example ps.1 above. Usage of PreparedStatement with Bind variables defends SQL Injection attacks and improves the performance.
Dynamic Queries via String Concatenation
The important thing to remember is to never construct SQL statements using string concatenation of unchecked input values. Creating of dynamic queries via the java.sql.Statement class leads to SQL Injection.
相关推荐
Fixed an issue which was preventing SQL Prompt from launching when upgrading from a previous version. SP-7560 : Fixed an issue which would sometimes cause unwanted newlines to be inserted into scripts...
博文 CAN 总线 之 BOSCH CAN2.0 比特位填充(编码规则)的参考文档,论文
Using Reserved Words in Your SQL statement 486 The Use of DISTINCT When Selecting Multiple Columns487 Dropping an Unqualified Table 487 The Use of Public Synonyms in a Multischema Database488 The ...
4. High security level, preventing from SQL Injection Attack. 5. Other features. System Requirements * Supported Operating Systems: Windows Server 2003; Windows Vista; Windows XP Note: If you ...
An intent lock indicates that SQL Server wants to acquire a shared (S) lock or exclusive (X) lock on some of the resources lower down in the hierarchy. For example, a shared intent lock placed at the ...
They can be very effective in preventing application security attacks, such as cross-site scripting, SQL injection, remote file inclusion, and others. Considering that most web sites today suffer ...
Hinton在2012年提出的Improving neural networks by preventing co-adaptation of feature detectors也就是dropout,常用于防止训练过拟合,主要是通过随机选择一部分神经元训练,而直接丢弃其他神经元.
2.5.1. Referencing XML configuration in JavaConfig 2.5.2. Referencing JavaConfig in XML configuration 2.6. Summary Chapter 3. Advanced wiring 3.1. Environments and profiles 3.1.1. Configuring profile ...
preventing location-based identity inference
反虚拟货币诈骗资料
Preventing inadvertant drag and drop(3KB)
防止Android调试,不过全英文的,建议各取所需
数学建模-2005 C O Preventing the Hydrocalypse获奖作品.zip
Networkers2009:BRKSEC-2002 - Understanding and Preventing Layer 2 Attacks
信息安全_数据安全_Preventing Your Physical Access 数据安全 威胁情报 安全架构 安全防护 法律法规
ate the eectiveness of techniques for preventing and iden- tifying mobile malware. After observing that 4 pieces of malware use root exploits to mount sophisticated attacks on Android phones, we also ...
21天学习SQL V1.0.pdf 66 SQL 21 日自学通(V1.0) 翻译人笨猪 EMAIL wyhsillypig@163.com 2 日期/时间函数.........................................................................................................
信息安全_数据安全_Leaders Needed Preventing the Ne 风控系统 安全 安全威胁 网络安全 常规渗透
Preventing Granulosa Cell Apoptosis Through the Action of a Single MicroRNA Jon D.