Ò׽ؽØÍ¼Èí¼þ¡¢µ¥Îļþ¡¢Ãâ°²×°¡¢´¿ÂÌÉ«¡¢½ö160KB

JSP·ÀSQL×¢Èë¹¥»÷

µÚÒ»ÖÖ²ÉÓÃÔ¤±àÒëÓï¾ä¼¯£¬ËüÄÚÖÃÁË´¦ÀíSQL×¢ÈëµÄÄÜÁ¦£¬Ö»ÒªÊ¹ÓÃËüµÄsetString·½·¨´«Öµ¼´¿É£º
String sql= "select * from users where username=? and password=?;
PreparedStatement preState = conn.prepareStatement(sql);
preState.setString(1, userName);
preState.setString(2, password);
ResultSet rs = preState.executeQuery();
...
µÚ¶þÖÖÊDzÉÓÃÕýÔò±í´ïʽ½«°üº¬ÓÐ µ¥ÒýºÅ(')£¬·ÖºÅ(;) ºÍ ×¢ÊÍ·ûºÅ(--)µÄÓï¾ä¸øÌæ»»µôÀ´·ÀÖ¹SQL×¢Èë
Àý1
public static String TransactSQLInjection(String str)
{
return str.replaceAll(".*([';]+|(--)+).*", " ");
}
userName=TransactSQLInjection(userName);
password=TransactSQLInjection(password);
String sql="select * from users where username='"+userName+"' and password='"+password+"' "
Statement sta = conn.createStatement();
ResultSet rs = sta.executeQuery(sql);
...
»òÕßÀý2
ÒªÒýÈëµÄ°ü£º
import java.util.regex.*;
ÕýÔò±í´ïʽ£º
private String CHECKSQL = “^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$”;
ÅжÏÊÇ·ñÆ¥Å䣺
Pattern.matches(CHECKSQL,targerStr);
ÏÂÃæÊǾßÌåµÄÕýÔò±í´ïʽ£º
¼ì²âSQL meta-charactersµÄÕýÔò±í´ïʽ £º
/(\%27)|(\’)|(\-\-)|(\%23)|(#)/ix
ÐÞÕý¼ì²âSQL meta-charactersµÄÕýÔò±í´ïʽ£º/((\%3D)|(=))[^\n]*((\%27)|(\’)|(\-\-)|(\%3B)|(:))/i
µäÐ굀 SQL ×¢Èë¹¥»÷µÄÕýÔò±í´ïʽ£º/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
¼ì²âSQL×¢È룬UNION²éѯ¹Ø¼ü×ÖµÄÕýÔò±í´ïʽ £º/((\%27)|(\’))union/ix(\%27)|(\’)
¼ì²âMS SQL Server SQL×¢Èë¹¥»÷µÄÕýÔò±í´ïʽ£º
/exec(\s|\+)+(s|x)p\w+/ix
µÈµÈ…..
µÚÈýÖÖÊÇ×Ö·û´®¹ýÂË
Àý1
sql_inj.javaΪһ¸ö¸Ä½øµÄ·À×¢Èëbean£¬±àÒëºó½«classÎļþ·ÅÔÚtomcatµÄclassesϵÄsql_injĿ¼ÖС£
sql_inj.java´úÂ룺
====================================================================
package sql_inj;
import java.net.*;
import java.io.*;
import java.sql.*;
import java.text.*;
import java.lang.String;
public class sql_inj{
public static boolean sql_inj(String str)
{
    String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|t


Ïà¹ØÎĵµ£º

AccessºÍSQL2000ÖÐÓï¾äµÄÇø±ð

1 £¬¶ÔÓÚÈÕÆÚ×Ö¶Î×Ö¶Î
access±íʾΪ£º#1981-28-12#
SQLSERVER2000±íʾΪ£º''1981-02-12''
2,SQLÓï¾äÇø±ð£¬select ,update ÔÚ¶Ôµ¥±í²Ù×÷ʱ¶¼²î²»¶à£¬
µ«¶à±í²Ù×÷ʱupdateÓï¾äµÄÇø±ðACCESSÓëSQLSERVERÖеÄUpdateÓï¾ä¶Ô±È:
SQLSERVERÖиüжà±íµÄUpdateÓï¾ä:
Update Tab1
SET a.Name = b.Name
from Tab1 a,Tab2 b
Whe ......

ʹÓÃSQLServerÄ£°åÀ´Ð´¹æ·¶µÄSQLÓï¾ä

Èç¹ûÄã¾­³£Óöµ½ÏÂÃæµÄÎÊÌ⣬Äã¾ÍÒª¿¼ÂÇʹÓÃSQL ServerµÄÄ£°åÀ´Ð´¹æ·¶µÄSQLÓï¾äÁË£º
SQL³õѧÕß¡£
¾­³£Íü¼Ç³£ÓõÄDML»òÊÇDDL SQL Óï¾ä¡£
ÔÚ¶àÈË¿ª·¢Î¬»¤µÄSQLÖУ¬Ã¿¸öÈ˶¼ÓÐ×Ô¼ºµÄSQLϰ¹ß£¬Ã»ÓÐÒ»Ì×ͳһµÄ¹æ·¶¡£
ÔÚSQL Server Management StudioÖУ¬ÒѾ­¸ø´ó¼ÒÌṩÁ˺ܶೣÓõÄÏÖ³ÉSQL¹æ·¶Ä£°å¡£
SQL Server Management ......

SQL²Ù×÷È«¼¯

SQL²Ù×÷È«¼¯
ÏÂÁÐÓï¾ä²¿·ÖÊÇMssqlÓï¾ä£¬²»¿ÉÒÔÔÚaccessÖÐʹÓá£
SQL·ÖÀࣺ
DDL—Êý¾Ý¶¨ÒåÓïÑÔ(CREATE£¬ALTER£¬DROP£¬DECLARE)
DML—Êý¾Ý²Ù×ÝÓïÑÔ(SELECT£¬DELETE£¬UPDATE£¬INSERT)
DCL—Êý¾Ý¿ØÖÆÓïÑÔ(GRANT£¬REVOKE£¬COMMIT£¬ROLLBACK)
Ê×ÏÈ,¼òÒª½éÉÜ»ù´¡Óï¾ä£º
1¡¢ËµÃ÷£º´´½¨Êý¾Ý¿â
CREATE ......

(ת)SQL ²éÕÒÖØ¸´¼Ç¼

±ístuinfo£¬ÓÐÈý¸ö×Ö¶Îrecno(×ÔÔö),stuid,stuname
½¨¸Ã±íµÄSqlÓï¾äÈçÏ£º
CREATE TABLE [StuInfo] (
[recno] [int] IDENTITY (1, 1) NOT NULL ,
[stuid] [varchar] (10) COLLATE Chinese_PRC_CI_AS NOT NULL ,
[stuname] [varchar] (10) COLLATE Chinese_PRC_CI_AS NOT NULL
) ON [PRIMARY]
GO
1.--²éijһÁ ......

JSPÎļþÏÂÔØ¡¢ÉÏ´«

JSPÎļþÏÂÔØ-----------------------------------------------------------------
<%@ page contentType="text/html; charset=GBK"%>
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ page import="java.io.File"%>
<%@page import="java.io.InputStream"%>
<%@page ......
© 2009 ej38.com All Rights Reserved. ¹ØÓÚE½¡ÍøÁªÏµÎÒÃÇ | Õ¾µãµØÍ¼ | ¸ÓICP±¸09004571ºÅ