如何注入一个SQL命令来删除java中的表

时间:2022-10-15 15:25:06

My java code for SQL Query is

我的SQL Query的java代码是

String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";

I have tried out name= a'); DROP TABLE users; -- as well as place =a'); DROP TABLE users; --

我试过了name = a'); DROP TABLE用户; - 以及place = a'); DROP TABLE用户; -

but it returns an Ecxeption as below

但它返回Ecxeption如下

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE users; --','chennai')' at line 1

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:SQL语法中有错误;检查与您的MySQL服务器版本对应的手册,以便在'DROP TABLE用户附近使用正确的语法; - ','chennai')'在第1行

Note: when i tried the same in mysql command line. It worked!!!! i don't know what happens in jdbc

注意:当我在mysql命令行中尝试相同时。有效!!!!我不知道jdbc会发生什么

3 个解决方案

#1


2  

The real problem is actually JDBC, it only allows one sql if you dont tell it otherwise. Look at this question for more info:

真正的问题实际上是JDBC,如果你不告诉它,它只允许一个sql。请查看此问题以获取更多信息:

Multiple queries executed in java in single statement

在单个语句中用java执行多个查询

But also i would try this instead, name =

但我也会尝试这个,名字=

a',''); DROP TABLE users; --

Since you specificed 3 columns in your insert:

由于您在插入中指定了3列:

(id,name,place)

You need to provide 3 values for the sql to be valid, not just 2.

您需要为sql提供3个值才有效,而不仅仅是2。

Also you can sent the text null, sending a java null value is not necessary and i am not even sure how that works. I think this might be better:

你也可以发送文本null,发送一个java null值是没有必要的,我甚至不知道这是如何工作的。我认为这可能会更好:

String sqlSt="INSERT INTO users(id,name,place) values (null,'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";

#2


0  

Instead of null, use an empty string ''

而不是null,使用空字符串''

String sqlSt = "INSERT INTO users(id, name, place) values ('', '" + request.getParameter("name") + "',  '" + request.getParameter("place") + "');";

It's better to use prepared statements to avoid confusion.

最好使用准备好的语句来避免混淆。

String sqlSt = "INSERT INTO users(id, name, place) values ('', ?, ?)";
PreparedStatement ps = null;
try {
    ps = connection.prepareStatement(query);
    ps.setString(1, request.getParameter("name"));
    ps.setString(2, request.getParameter("place"));
    ps.executeUpdate();
} catch (Exception e) {
    e.printStackTrace();
} finally {
    ps.close();
}

#3


0  

The real problem is with your Query. It is better to use a PreparedStatement for executing a query. Your Code should be :

真正的问题在于您的查询。最好使用PreparedStatement来执行查询。您的准则应该是:

String sqlSt="INSERT INTO users(id,name,place) values (?,?,?)";
PreparedStatement pstmt = null;
try{
pstmt = dbConnection.prepareStatement(sqlSt);
pstmt.setString(1,null);
pstmt.setString(2,request.getParameter("name"));
pstmt.setString(3,request.getParameter("place"));
pstmt.executeUpdate();
}catch (Exception e) {
    e.printStackTrace();
} finally {
    pstmt.close();
}

If you don't want to use a PreparedStatement, just remove last ; from your query. So your query will be :

如果您不想使用PreparedStatement,只需删除last;来自您的查询。所以你的查询将是:

String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"')";

#1


2  

The real problem is actually JDBC, it only allows one sql if you dont tell it otherwise. Look at this question for more info:

真正的问题实际上是JDBC,如果你不告诉它,它只允许一个sql。请查看此问题以获取更多信息:

Multiple queries executed in java in single statement

在单个语句中用java执行多个查询

But also i would try this instead, name =

但我也会尝试这个,名字=

a',''); DROP TABLE users; --

Since you specificed 3 columns in your insert:

由于您在插入中指定了3列:

(id,name,place)

You need to provide 3 values for the sql to be valid, not just 2.

您需要为sql提供3个值才有效,而不仅仅是2。

Also you can sent the text null, sending a java null value is not necessary and i am not even sure how that works. I think this might be better:

你也可以发送文本null,发送一个java null值是没有必要的,我甚至不知道这是如何工作的。我认为这可能会更好:

String sqlSt="INSERT INTO users(id,name,place) values (null,'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";

#2


0  

Instead of null, use an empty string ''

而不是null,使用空字符串''

String sqlSt = "INSERT INTO users(id, name, place) values ('', '" + request.getParameter("name") + "',  '" + request.getParameter("place") + "');";

It's better to use prepared statements to avoid confusion.

最好使用准备好的语句来避免混淆。

String sqlSt = "INSERT INTO users(id, name, place) values ('', ?, ?)";
PreparedStatement ps = null;
try {
    ps = connection.prepareStatement(query);
    ps.setString(1, request.getParameter("name"));
    ps.setString(2, request.getParameter("place"));
    ps.executeUpdate();
} catch (Exception e) {
    e.printStackTrace();
} finally {
    ps.close();
}

#3


0  

The real problem is with your Query. It is better to use a PreparedStatement for executing a query. Your Code should be :

真正的问题在于您的查询。最好使用PreparedStatement来执行查询。您的准则应该是:

String sqlSt="INSERT INTO users(id,name,place) values (?,?,?)";
PreparedStatement pstmt = null;
try{
pstmt = dbConnection.prepareStatement(sqlSt);
pstmt.setString(1,null);
pstmt.setString(2,request.getParameter("name"));
pstmt.setString(3,request.getParameter("place"));
pstmt.executeUpdate();
}catch (Exception e) {
    e.printStackTrace();
} finally {
    pstmt.close();
}

If you don't want to use a PreparedStatement, just remove last ; from your query. So your query will be :

如果您不想使用PreparedStatement,只需删除last;来自您的查询。所以你的查询将是:

String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"')";