原理
我要查询用户名为one的用户
// username = 'one'
String username = request.getParameter("username");
String sql = "select * from user where username=' "+username + " ' ";
//select * from user where username = 'one'
假如传过来的是1' or 1 != '1
// username = " 1' or 1 != '1";
String username = request.getParameter("username");
String sql = "select * from user where username=' "+username + " ' ";
//select * from user where username = '1' or 1 !='1';
// 这样就把user的表所有用户都读取出来了
防御
- 不要使用拼接字符串,使用sql预编译语句
- 对 ' " 进行转义
\" \' - 检查数据类型
网友评论