JSP·ÀSQL×¢Èë¹¥»÷
µÚÒ»ÖÖ²ÉÓÃÔ¤±àÒëÓï¾ä¼¯£¬ËüÄÚÖÃÁË´¦ÀíSQL×¢ÈëµÄÄÜÁ¦£¬Ö»ÒªÊ¹ÓÃËüµÄsetString·½·¨´«Öµ¼´¿É£º
String sql= "select * from users where username=? and password=?;
PreparedStatement preState = conn.prepareStatement(sql);
preState.setString(1, userName);
preState.setString(2, password);
ResultSet rs = preState.executeQuery();
...
µÚ¶þÖÖÊDzÉÓÃÕýÔò±í´ïʽ½«°üº¬ÓÐ µ¥ÒýºÅ(')£¬·ÖºÅ(;) ºÍ ×¢ÊÍ·ûºÅ(--)µÄÓï¾ä¸øÌæ»»µôÀ´·ÀÖ¹SQL×¢Èë
Àý1
public static String TransactSQLInjection(String str)
{
return str.replaceAll(".*([';]+|(--)+).*", " ");
}
userName=TransactSQLInjection(userName);
password=TransactSQLInjection(password);
String sql="select * from users where username='"+userName+"' and password='"+password+"' "
Statement sta = conn.createStatement();
ResultSet rs = sta.executeQuery(sql);
...
»òÕßÀý2
ÒªÒýÈëµÄ°ü£º
import java.util.regex.*;
ÕýÔò±í´ïʽ£º
private String CHECKSQL = “^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$”;
ÅжÏÊÇ·ñÆ¥Å䣺
Pattern.matches(CHECKSQL,targerStr);
ÏÂÃæÊǾßÌåµÄÕýÔò±í´ïʽ£º
¼ì²âSQL meta-charactersµÄÕýÔò±í´ïʽ £º
/(\%27)|(\’)|(\-\-)|(\%23)|(#)/ix
ÐÞÕý¼ì²âSQL meta-charactersµÄÕýÔò±í´ïʽ£º/((\%3D)|(=))[^\n]*((\%27)|(\’)|(\-\-)|(\%3B)|(:))/i
µäÐ굀 SQL ×¢Èë¹¥»÷µÄÕýÔò±í´ïʽ£º/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
¼ì²âSQL×¢È룬UNION²éѯ¹Ø¼ü×ÖµÄÕýÔò±í´ïʽ £º/((\%27)|(\’))union/ix(\%27)|(\’)
¼ì²âMS SQL Server SQL×¢Èë¹¥»÷µÄÕýÔò±í´ïʽ£º
/exec(\s|\+)+(s|x)p\w+/ix
µÈµÈ…..
µÚÈýÖÖÊÇ×Ö·û´®¹ýÂË
Àý1
sql_inj.javaΪһ¸ö¸Ä½øµÄ·À×¢Èëbean£¬±àÒëºó½«classÎļþ·ÅÔÚtomcatµÄclassesϵÄsql_injĿ¼ÖС£
sql_inj.java´úÂ룺
====================================================================
package sql_inj;
import java.net.*;
import java.io.*;
import java.sql.*;
import java.text.*;
import java.lang.String;
public class sql_inj{
public static boolean sql_inj(String str)
{
String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|t
Ïà¹ØÎĵµ£º
Sql´úÂë
--²ÉÓÃSQLÓï¾äʵÏÖsql2005ºÍExcel Êý¾ÝÖ®¼äµÄÊý¾Ýµ¼Èëµ¼³ö£¬ÔÚÍøÉÏÕÒÀ´Ò»--Ï£¬ÊµÏÖ·½·¨ÊÇÕâÑùµÄ£º
--Excel---->SQL2005 µ¼È룺
select * into useinfo from O ......
ÊìϤSQL SERVER 2000µÄÊý¾Ý¿â¹ÜÀíÔ±¶¼ÖªµÀ£¬ÆäDTS¿ÉÒÔ½øÐÐÊý¾ÝµÄµ¼Èëµ¼³ö£¬Æäʵ£¬ÎÒÃÇÒ²¿ÉÒÔʹÓÃTransact-SQLÓï¾ä½øÐе¼Èëµ¼³ö²Ù×÷¡£ÔÚTransact-SQLÓï¾äÖУ¬ÎÒÃÇÖ÷ҪʹÓÃOpenDataSourceº¯Êý¡¢OPENROWSET º¯Êý£¬¹ØÓÚº¯ÊýµÄÏêϸ˵Ã÷£¬Çë²Î¿¼SQLÁª»ú°ïÖú¡£ÀûÓÃÏÂÊö·½·¨£¬¿ÉÒÔÊ®·ÖÈÝÒ×µØÊµÏÖSQL SERVER¡¢ACCESS¡¢EXCELÊý¾Ýת»»£ ......
ÉÏÍø¿´Á˺ö࣬¾ÍÕâһƪ½â¾öÁËÎÒµÄÎÊÌ⣬ÏÖת£¬ÎÒµÄÏîÄ¿ÓõÄÊÇMVC¼Ü¹¹£¬ÓÐͳһµÄ¿ØÖÆÆ÷£¬×ªÏò²»Í¬µÄAction£¬ÉÏÍø¿´Á˺ö࣬´ó²¿·ÖÊÇ˵¼ÓÈërequest.setCharacterEncoding("utf-8");µ«ÊǾ¹ýÎÒµÄÊÔÑ飬ÕâÖ»ÓÐÔÚÀûÓÃJSP´¦Àí±íµ¥´«ÊäÊý¾Ýʱ²Å¿ÉÓã¬ÔÚÎҵĶ«Î÷ÖÐÎÞ·¨½â¾ö£¬ºóÀ´·¢ÏÖ»¹ÊÇÓÃFilterChainºÃ£¬ºÇºÇ£¬Öص㻹ÊÇÔÚrequest ......
SQL Server 2005 Êý¾ÝÀàÐÍ
´´½¨Êý¾Ý¿â±íʱ£¬±ØÐëΪ±íÖеÄÿÁзÖÅäÒ»ÖÖÊý¾ÝÀàÐÍ¡£
1. ×Ö·û´®ÀàÐÍ
×Ö·û´®ÀàÐͰüÀ¨varchar,char,nvarchar,nchar,textºÍntext.ÕâЩÊý¾ÝÀàÐÍÓÃÓÚ´æ´¢×Ö·ûÊý¾Ý¡£VarcharºÍcharÀàÐÍÖ®¼äµÄ²î±ðÊÇÊý¾ÝÌî³ä¡£Èç¹ûÒª½ÚÊ¡¿Õ¼ä£¬ÎªÊ²Ã´ÓÐʱºò»¹Ê¹ÓÃcharÊý¾ÝÀàÐÍÄØ ......
1¡¢½Ø¶ÏÈÕÖ¾£º
backup log Êý¾Ý¿â with no_log
»ò£º
Çå¿ÕÈÕÖ¾
DUMP TRANSACTION ¿âÃû WITH NO_LOG
2¡¢ & ......