admin管理员组文章数量:1405170
I am using JSP for a while. I have this select statement:
query = "SELECT * FROM USER_PASS WHERE USERNAME = '" + name + "'";
Which is vulnerable to SQL injections. I searched few articles and found that I can use prepared statements to avoid SQL injections. I find it more confusing. My opinion is if I can find inputs such as ;, ' or -- in the input given by user then I can show them an alert message saying you can't use these symbols here and I will not process the data. This could be my JavaScript code:
function validateSQL()
{
var x=document.forms["myForm"]["username"].value;
var pos = 0;
pos=x.indexOf("'");
if (pos!=0)
{
alert("Trying to hack me?");
return false;
}
}
Which is better to use? Does this have any demerits?
I am using JSP for a while. I have this select statement:
query = "SELECT * FROM USER_PASS WHERE USERNAME = '" + name + "'";
Which is vulnerable to SQL injections. I searched few articles and found that I can use prepared statements to avoid SQL injections. I find it more confusing. My opinion is if I can find inputs such as ;, ' or -- in the input given by user then I can show them an alert message saying you can't use these symbols here and I will not process the data. This could be my JavaScript code:
function validateSQL()
{
var x=document.forms["myForm"]["username"].value;
var pos = 0;
pos=x.indexOf("'");
if (pos!=0)
{
alert("Trying to hack me?");
return false;
}
}
Which is better to use? Does this have any demerits?
Share Improve this question asked Feb 23, 2013 at 6:15 Kunu MunuKunu Munu 131 silver badge4 bronze badges 4- 10 Who says that the attacker is going to use your frontend? Automated SQL injection tools just send HTTP requests. – Blender Commented Feb 23, 2013 at 6:16
- @Blender:If I am writing an preparedstatement instead of this javascript code then will it prevent injections? – Kunu Munu Commented Feb 23, 2013 at 6:18
- 2 I would +10 Blender's ment if I could - do not trust the client. Prepared statements on the server will prevent all SQL injection attacks (but not necessarily other surfaces). Not: Preventing bad information is outside the scope of SQL injection attacks. – user166390 Commented Feb 23, 2013 at 6:18
- @Blender: So shall I delete the question? I got the answer I was looking for. From your ment – Kunu Munu Commented Feb 23, 2013 at 6:20
1 Answer
Reset to default 6You absolutely cannot depend on JavaScript on the Client to protect you; malicious users can easily circumvent any client side checks .. you can simply disable JavaScript at any time in your browser.
Just because something is confusing doesn't mean that you shouldn't do it; parameterized queries are not confusing, so you should practice and learn until you understand. ; , -- are not even close to the only symbols that could cause SQL Injection.
I'm not familiar with JSP, the method for preparing queries seems simple enough.
String myquery = "SELECT * FROM USER_PASS WHERE USERNAME = ?";
PreparedStatement mystatement = connection.prepareStatement(myquery);
mystatement.setString(1, name);
ResultSet myresults = mystatement.execute();
本文标签: jspPreventing SQL injection using JavaScriptjQueryStack Overflow
版权声明:本文标题:jsp - Preventing SQL injection using JavaScriptjQuery - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744306484a2599819.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论