如果我创建了一个基于字符串串联但具有一些预定义值的数据库,那么我的数据库是否容易受到SQL注入的影响?
例如:在下面的例子中,我提供了一个预定义的下拉菜单,用户可以从中选择值,这些值将被提取到字符串中,然后所有字符串将被连接到表名(在这种情况下,它是课程。这样做是为了在运行时根据要求制作表。
我正在创建一个简单的java项目,但无论语言如何,在这种情况下SQL注入是可能的吗?
对不起,如果这是一个蹩脚的问题,但我想知道未来案件的情况。
String department = jComboBox1.getSelectedItem().toString();
String year = jComboBox2.getSelectedItem().toString();
String batch = jComboBox3.getSelectedItem().toString();
String subject = jTextField1.getText();
String assigned = jComboBox4.getSelectedItem().toString();
String course = department+"_"+year+"_"+batch+"_"+subject;
Class.forName("com.mysql.cj.jdbc.Driver");
con = DriverManager.getConnection("pathToDB");
pst = con.prepareStatement("insert into courses(course,department,subject,teacher_assigned) values (?,?,?,?)");
pst.setString(1,course);
pst.setString(2,department);
pst.setString(3,subject);
pst.setString(4,assigned);
int result = pst.executeUpdate();
if(result==1){
JOptionPane.showMessageDialog(null,"Courses has been added, please ask teacher to assign themselves.");
}
else{
JOptionPane.showMessageDialog(null,"Some issue with connection");
}
jTextField1.setText("");
String strQuery="CREATE TABLE $table_name"+ "("+ " id int primary key AUTO_INCREMENT, attenndancedate Date, rollno int);";
String query =strQuery.replace("$table_name",course);
pst1 = con.prepareStatement(query);
boolean resultcreate = pst1.execute();
if(resultcreate){
JOptionPane.showMessageDialog(null,"Create table worked, hooray!!!");
}
else{
JOptionPane.showMessageDialog(null,"Some issue with connection for create table");
}
您的代码容易出现SQL注入。如果用户在subject
:中输入类似的内容
sometable (id int primary key); --
然后,您的表定义id int primary key AUTO_INCREMENT, attenndancedate Date, rollno int
将被(id int primary key)
覆盖。