Web°²È«¿ª·¢£ºSQL×¢Èë¹¥»÷ºÍÍøÒ³¹ÒÂí
ÉêÃ÷¡£ÎÄÕ½ö´ú±í¸öÈ˹۵㣬ÓëËùÔÚ¹«Ë¾ÎÞÈκÎÁªÏµ¡£
1. ¸ÅÊö
ÍøÒ³¹ÒÂíÕâ¸ö»°ÌâÏëÀ´´ó¼Ò²¢²»Ä°Éú¡£ÎªÊ²Ã´ÓÐÕâô¶àµÄÍøÒ³ÉÏ´æÔÚ×ÅľÂíÈ¥¹¥»÷ÆÕͨÓû§£¿²»¿É·ñÈÏ£¬Ï൱һ²¿·ÖÍøÒ³Ô±¾¾ÍÊǶñÒâµÄ£ºÍøÒ³µÄ×÷Õß¹ÊÒâÔÚÉÏÃæ·ÅÉÏľÂí£¬È»ºóͨ¹ý¸÷ÖÖÊÖ¶ÎÒýÓÕÓû§È¥ä¯ÀÀ¡£µ«ÊǾø´ó¶àÊý±»¹ÒÂíµÄÍøÒ³Ô±¾ÊÇÕý³£µÄÍøÒ³£¬ÀýÈçÆÕͨµÄ½ÌÓýÍøÕ¾£¬¹ºÎïÍøÕ¾µÈµÈ£¬Ö»ÊÇÍøÒ³±»¹¥»÷Õ߶ñÒâÐ޸ĺó²åÈëÁËľÂí´úÂë¡£
ÄÇô£¬¹¥»÷ÕßÊÇÈçºÎÄܹ»¶ñÒâÐÞ¸ÄÒ»¸öÕý³£ÍøÒ³µÄÄØ£¿ »»¾ä»°Ëµ£¬Ò»¸öÍøÕ¾ÊÇÈçºÎ±»“ºÚ”µÄ£¿Ò»¸ö×î³£¼ûµÄ¹¥»÷·½·¨ÊÇSQL×¢È루SQL Injection£©¹¥»÷¡£ÊÂʵÉÏ£¬¾ÍÔÚ½ñÄêµÄÎåÔ·ݣ¬±¬·¢ÁËÒ»´Î´ó¹æÄ£µÄÍøÒ³¹¥»÷»î¶¯¡¾£±¡¿¡£¾Ý¹À¼Æ£¬Ô¼ÓÐ12Íò¸öÍøÒ³±»¶ñÒâÐ޸IJåÈëľÂí´úÂ룬¶ø¹¥»÷Õß²ÉÓõÄÊֶξÍÊÇSQL×¢Èë¹¥»÷¡£
ÄÇô£¬Ê²Ã´ÊÇSQL×¢Èë¹¥»÷£¿¹¥»÷ÕßÊÇÈçºÎÀûÓÃSQL×¢Èë¹¥»÷´Û¸ÄÍøÒ³µÄ£¿Web¿ª·¢ÈËÔ±ÓÖÓ¦¸ÃÈçºÎ·À·¶SQL¹¥»÷£¿Õâ¾ÍÊÇÎÒÃÇÕâƪÎÄÕÂÒª²ûÊöµÄÎÊÌâ¡£
2. SQL×¢Èë¹¥»÷
ÎÒÃÇ´ÓÒ»¸ö¼òµ¥µÄÀý×Ó¡¾2¡¿¿ªÊ¼¡£ÏÂÃæÕâ¶Î´úÂëÓÃÀ´¹¹ÔìSQL²éѯÃüÁî¡£
var strUserAccount;
strUserAccount = Request.form ("UserAccount");
var sqlQueryString = "select * from Orders where UserAccount = '" + strUserAccount + "'";
//Ö´ÐÐSQL Query …
Õâ¶Î´úÂëºÜ¼òµ¥£º¸ø³öUserAccount£¬²éѯÆä¶ÔÓ¦µÄ¶©µ¥ÐÅÏ¢¡£
ÀýÈ磬Èç¹ûÊäÈëUserAccountֵΪ100£¬ÄÇô¹¹ÔìµÄ²éѯÃüÁî¾ÍÊÇ£º
SELECT * from Orders WHERE UserAccount = '100'
´Ó¹¦ÄÜÉÏ˵Õâ¶Î´úÂë·Ç³£ÕýÈ·£¬ÍêȫûÓÐÈκÎÎÊÌâ¡£µ«ÊÇ¿ª·¢ÈËÔ±ÍùÍùºöÊÓ°²È«·½ÃæµÄ¿¼ÂÇ£ºÈç¹ûÓû§£¨¹¥»÷Õߣ©ÌṩµÄÊäÈëÊý¾ÝÊǶñÒâµÄ£¬ ³ÌÐòµÄ±íÏÖÐÐΪÊÇʲô£¿
· Èç¹ûÊÇÒ»¸ö²»ÄÇôÓѺõĹ¥»÷Õߣ¬¿ÉÄÜÊäÈëUserAccountֵΪ100' or 1=1 --£¬¹¹ÔìµÄ²éѯÃüÁî¾ÍÊÇ:
SELECT * from Orders WHERE UserAccount = '100' or 1=1 --
Ö´ÐÐÕâ¸ö²éѯÃüÁ¾Í»á·µ»ØËùÓÐÓû§µÄ¶©µ¥£¬µ¼ÖÂÉÌÒµ»úÃÜÐÅÏ¢µÄй©¡£
· Èç¹ûÊÇÒ»¸ö·Ç³£²»ÓѺõĹ¥»÷Õߣ¬¿ÉÄÜÊäÈëUserAccou
Ïà¹ØÎĵµ£º
±¾À´ÊÇmssql+hibernate+native SQL Ó¦ÓõĺܺÍг
µ«Êǵ½ÁË°Ñmssql»»³Émysql£¬¾Í³öÁË´í(ͬÑùµÄÊý¾Ý½á¹¹ºÍÊý¾Ý)¡£
²éѯ·½·¨ÊÇ£º
String sql =
"select id XXX_ID from t_tab";
List<Map> list = session.createSQLQuery(sql)
.setResultTransformer(Transformers.ALIAS_TO_ENTITY_MAP)
.list();
´í ......
inner join(µÈÖµÁ¬½Ó) Ö»·µ»ØÁ½¸ö±íÖÐÁª½á×Ö¶ÎÏàµÈµÄÐÐ
left join(×óÁª½Ó) ·µ»Ø°üÀ¨×ó±íÖеÄËùÓмǼºÍÓÒ±íÖÐÁª½á×Ö¶ÎÏàµÈµÄ¼Ç¼
right join(ÓÒÁª½Ó) ·µ»Ø°üÀ¨ÓÒ±íÖеÄËùÓмǼºÍ×ó±íÖÐÁª½á×Ö¶ÎÏàµÈµÄ¼Ç¼
INNER JOIN Óï·¨£º
INNER JOIN Á¬½ÓÁ½¸öÊý¾Ý±íµÄÓ÷¨£º
SELECT * from ±í1 INNER JOIN ±í2 ON ±í1.×ֶκÅ=±í2 ......
Ò»¡¢PowerDesignerÉú³ÉsqlÎÊÌâ
Éú³ÉsqlµÄ·½·¨ÊÇ Database -->Generate Database (Ctrl + G ) µ«ÊÇÌáʾ
Generation aborted due to errors detected during the verification of the model.
½â¾ö·½·¨: ½«check model È¥µô¾Í¿ÉÒÔÁË.ÆäÖУ¬one file onÊÇ·ñÐèÒª°´ÕÕ±íÉú³ÉÐí¶à¸ösql£¨Ä¬ÈÏÑ¡ÉÏ£¬¼´²»ÐèÒª£©
& ......
¾µäSQLÓï¾ä´óÈ«
ÏÂÁÐÓï¾ä²¿·ÖÊÇMssqlÓï¾ä£¬²»¿ÉÒÔÔÚaccessÖÐʹÓá£
¡¡¡¡SQL·ÖÀࣺ
¡¡¡¡DDL—Êý¾Ý¶¨ÒåÓïÑÔ(CREATE£¬ALTER£¬DROP£¬DECLARE)
¡¡¡¡DML—Êý¾Ý²Ù×ÝÓïÑÔ(SELECT£¬DELETE£¬UPDATE£¬INSERT)
¡¡¡¡DCL—Êý¾Ý¿ØÖÆÓïÑÔ(GRANT£¬REVOKE£¬COMMIT£¬ROLLBACK)
¡¡¡¡Ê×ÏÈ,¼òÒª½éÉÜ»ù´¡Óï¾ä£º
¡¡¡¡1¡¢Ë ......
