{"id":105,"date":"2026-01-14T16:06:23","date_gmt":"2026-01-14T08:06:23","guid":{"rendered":"https:\/\/blog.miren.baby\/?p=105"},"modified":"2026-01-14T16:06:24","modified_gmt":"2026-01-14T08:06:24","slug":"java%e7%a8%8b%e5%ba%8f%e4%b8%8b%e7%9a%84sql%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/blog.miren.baby\/index.php\/2026\/01\/14\/java%e7%a8%8b%e5%ba%8f%e4%b8%8b%e7%9a%84sql%e6%b3%a8%e5%85%a5\/","title":{"rendered":"JAVA\u7a0b\u5e8f\u4e0b\u7684SQL\u6ce8\u5165"},"content":{"rendered":"\n
\"\"<\/div><\/figure>\n\n\n\n

JDBC<\/h2>\n\n\n\n
\n

\u53c2\u8003\u6587\u7ae0\uff1a<\/p>\n\n\n\n

\nhttps:\/\/www.freebuf.com\/articles\/web\/431498.html\n<\/div><\/figure>\n\n\n\n

\u53c2\u8003\u9776\u573a\uff1aJavaSecLab<\/p>\n<\/blockquote>\n\n\n\n

\u91c7\u7528Statement\u65b9\u6cd5\u62fc\u63a5SQL\u8bed\u53e5<\/font><\/h3>\n\n\n\n
\/\/ \u539f\u751fsql\u8bed\u53e5\u52a8\u6001\u62fc\u63a5 \u53c2\u6570\u672a\u8fdb\u884c\u4efb\u4f55\u5904\u7406\npublic R vul1(String type,String id,String username,String password) {\n    \/\/\u6ce8\u518c\u6570\u636e\u5e93\u9a71\u52a8\u7c7b\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n\n    \/\/\u8c03\u7528DriverManager.getConnection()\u65b9\u6cd5\u521b\u5efaConnection\u8fde\u63a5\u5230\u6570\u636e\u5e93\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n\n    \/\/\u8c03\u7528Connection\u7684createStatement()\u6216prepareStatement()\u65b9\u6cd5 \u521b\u5efaStatement\u5bf9\u8c61\n    Statement stmt = conn.createStatement();\n    switch (type) {\n        case \"add\":\n            \/\/\u8fd9\u91cc\u6ca1\u6709\u6807\u8bc6id id\u81ea\u589e\u957f\n            sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n            \/\/\u901a\u8fc7Statement\u5bf9\u8c61\u6267\u884cSQL\u8bed\u53e5\uff0c\u5f97\u5230ResultSet\u5bf9\u8c61-\u67e5\u8be2\u7ed3\u679c\u96c6\n            \/\/ \u8fd9\u91cc\u6ce8\u610f\u4e00\u4e0b insert\u3001update\u3001delete \u8bed\u53e5\u5e94\u4f7f\u7528executeUpdate()\n            rowsAffected = stmt.executeUpdate(sql);\n            \/\/\u5173\u95edResultSet\u7ed3\u679c\u96c6 Statement\u5bf9\u8c61 \u4ee5\u53ca\u6570\u636e\u5e93Connection\u5bf9\u8c61 \u91ca\u653e\u8d44\u6e90\n            stmt.close();\n            conn.close();\n            return R.ok(message);\n        case \"delete\":\n            sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n            rowsAffected = stmt.executeUpdate(sql);\n            ...\n        case \"update\":\n            sql = \"UPDATE sqli SET password = '\" + password + \"', username = '\" + username + \"' WHERE id = '\" + id + \"'\";\n            rowsAffected = stmt.executeUpdate(sql);\n            ...\n        case \"select\":\n            sql = \"SELECT * FROM users WHERE id  = \" + id;\n            ResultSet rs = stmt.executeQuery(sql);\n            ...\n    }\n}\n<\/code><\/pre>\n\n\n\n
prepareStatement\u91c7\u7528\u65b9\u6cd5\u62fc\u63a5SQL\u8bed\u53e5<\/font><\/h3>\n\n\n\n
\n
PreparedStatement\u662f JDBC \u4e2d\u7528\u4e8e\u6267\u884c\u9884\u7f16\u8bd1 SQL \u8bed\u53e5\u7684\u63a5\u53e3\uff08\u7ee7\u627f\u81eaStatement\uff09<\/p>\n\n\n\n
\u5b83\u662fStatement\u7684 \u201c\u5b89\u5168\u5347\u7ea7\u7248\u201d\uff0c\u5e95\u5c42\u4f9d\u7136\u57fa\u4e8e JDBC \u5b9e\u73b0\uff1b<\/p>\n\n\n\n
\u6838\u5fc3\u903b\u8f91\uff1a\u5148\u628a SQL \u6a21\u677f\uff08\u5e26?\u5360\u4f4d\u7b26\uff09\u53d1\u7ed9\u6570\u636e\u5e93\u9884\u7f16\u8bd1\uff0c\u518d\u4f20\u5165\u53c2\u6570\u6267\u884c\uff0c\u800c\u975e\u6bcf\u6b21\u62fc\u63a5\u5b8c\u6574 SQL\u3002<\/p>\n<\/blockquote>\n\n\n\n
\/\/ \u867d\u7136\u4f7f\u7528\u4e86conn.prepareStatement(sql)\u521b\u5efa\u4e86\u4e00\u4e2aPreparedStatement\u5bf9\u8c61\uff0c\u4f46\u5728\u6267\u884c stmt.executeUpdate(sql)\u65f6\uff0c\u5374\u662f\u4f20\u9012\u4e86\u5b8c\u6574\u7684SQL\u8bed\u53e5\u4f5c\u4e3a\u53c2\u6570\uff0c\u800c\u4e0d\u662f\u4f7f\u7528\u4e86\u9884\u7f16\u8bd1\u7684\u529f\u80fd\npublic R vul2(String type,String id,String username,String password) {\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n    PreparedStatement stmt;\n    switch (type) {\n        case \"add\":\n            sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n            stmt = conn.prepareStatement(sql);\n            rowsAffected = stmt.executeUpdate(sql);\n            ...\n        case \"delete\":\n            sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n            stmt = conn.prepareStatement(sql);\n            rowsAffected = stmt.executeUpdate(sql);\n            ...\n        case \"update\":\n            sql = \"UPDATE sqli SET username = '\" + username + \"', password = '\" + password + \"' WHERE id = '\" + id + \"'\";\n            stmt = conn.prepareStatement(sql);\n            rowsAffected = stmt.executeUpdate(sql);\n            ...\n        case \"select\":\n            sql = \"SELECT * FROM users WHERE id  = \" + id;\n            stmt = conn.prepareStatement(sql);\n            ResultSet rs = stmt.executeQuery(sql);\n            ...\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u5b89\u5168\u5199\u6cd5<\/h4>\n\n\n\n
public R vul2(String type,String id,String username,String password) throws ClassNotFoundException, SQLException {\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n    PreparedStatement stmt = null;\n    int rowsAffected = 0;\n    String sql = null; \n    switch (type) {\n        case \"add\":\n            sql = \"INSERT INTO sqli (username, password) VALUES (?, ?)\";\n            stmt = conn.prepareStatement(sql);\n            stmt.setString(1, username);\n            stmt.setString(2, password);\n            rowsAffected = stmt.executeUpdate();\n            break; \n    }\n    return null; \n}\n<\/code><\/pre>\n\n\n\n
JdbcTemplate-SQL\u8bed\u53e5\u62fc\u63a5<\/font><\/h3>\n\n\n\n
\n
JdbcTemplate \u662f Spring \u6846\u67b6\u5bf9\u539f\u751f JDBC\u7684\u5c01\u88c5\u5de5\u5177\u7c7b\uff08\u5c5e\u4e8e spring-jdbc \u6a21\u5757\uff09<\/p>\n\n\n\n
\u5b83\u4e0d\u662f\u66ff\u4ee3 JDBC\uff0c\u800c\u662f \u201c\u7701\u6389\u539f\u751f JDBC \u4e2d\u6240\u6709\u7e41\u7410\u7684\u6837\u677f\u4ee3\u7801\u201d\uff1b<\/p>\n\n\n\n
\u5e95\u5c42\u4f9d\u7136\u57fa\u4e8e JDBC \u7684PreparedStatement\u5b9e\u73b0\uff0c\u5929\u751f\u5177\u5907\u9632 SQL \u6ce8\u5165\u80fd\u529b\uff1b<\/p>\n\n\n\n
\u6838\u5fc3\u76ee\u6807\uff1a\u7528\u4e00\u884c\u4ee3\u7801\u5b8c\u6210\u6570\u636e\u5e93\u64cd\u4f5c\uff0c\u65e0\u9700\u624b\u52a8\u7ba1\u7406\u8fde\u63a5\u3001\u5173\u95ed\u8d44\u6e90\u3001\u5904\u7406\u5f02\u5e38\u3002<\/p>\n<\/blockquote>\n\n\n\n
\/\/ JDBCTemplate\u662fSpring\u5bf9JDBC\u7684\u5c01\u88c5\uff0c\u5e95\u5c42\u5b9e\u73b0\u5b9e\u9645\u4e0a\u8fd8\u662fJDBC\npublic R vul3(String type,String id,String username,String password) {\n    DriverManagerDataSource dataSource = new DriverManagerDataSource();\n    dataSource.setDriverClassName(\"com.mysql.cj.jdbc.Driver\");\n    dataSource.setUrl(dbUrl);\n    dataSource.setUsername(dbUser);\n    dataSource.setPassword(dbPass);\n    JdbcTemplate jdbctemplate = new JdbcTemplate(dataSource);\n    switch (type) {\n        case \"add\":\n            sql = \"INSERT INTO sqli (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n            \/\/Spring\u7684JdbcTemplate\u4f1a\u81ea\u52a8\u7ba1\u7406\u8fde\u63a5\u7684\u83b7\u53d6\u548c\u91ca\u653e\uff0c\u4e0d\u9700\u8981\u624b\u52a8\u5173\u95ed\u8fde\u63a5\n            rowsAffected = jdbctemplate.update(sql);\n            ...\n        case \"delete\":\n            sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n            rowsAffected = jdbctemplate.update(sql);\n            ...\n        case \"update\":\n            sql = \"UPDATE sqli SET username = '\" + username + \"', password = '\" + password + \"' WHERE id = '\" + id + \"'\";\n            rowsAffected = jdbctemplate.update(sql);\n            ...\n        case \"select\":\n            sql = \"SELECT * FROM users WHERE id  = \" + id;\n            stringObjectMap = jdbctemplate.queryForMap(sql);\n            ...\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u5b89\u5168\u5199\u6cd5-\u9884\u7f16\u8bd1<\/h4>\n\n\n\n
\/\/ JDBCTemplate\u9884\u7f16\u8bd1 \u6b64\u65f6\u5728\u5e38\u89c4DML\u573a\u666f\u6709\u6548\u7684\u9632\u6b62\u4e86SQL\u6ce8\u5165\u653b\u51fb\u7684\u53d1\u751f\npublic R safe2(String type,String id,String username,String password) {\n    DriverManagerDataSource dataSource = new DriverManagerDataSource();\n    dataSource.setDriverClassName(\"com.mysql.cj.jdbc.Driver\");\n    dataSource.setUrl(dbUrl);\n    dataSource.setUsername(dbUser);\n    dataSource.setPassword(dbPass);\n    JdbcTemplate jdbctemplate = new JdbcTemplate(dataSource);\n    switch (type) {\n        case \"add\":\n            sql = \"INSERT INTO sqli (username, password) VALUES (?,?)\";\n            rowsAffected = jdbctemplate.update(sql, username, password);\n            ...\n        case \"delete\":\n            sql = \"DELETE FROM users WHERE id = ?\";\n            rowsAffected = jdbctemplate.update(sql, id);\n            ...\n        case \"update\":\n            sql = \"UPDATE sqli SET username = ?, password = ? WHERE id = ?\";\n            rowsAffected = jdbctemplate.update(sql, username, id);\n            ...\n        case \"select\":\n            sql = \"SELECT * FROM users WHERE id  = ?\";\n            stringObjectMap = jdbctemplate.queryForMap(sql, id);\n            ...\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u5176\u4ed6\u52a0\u56fa\u65b9\u6cd5<\/h3>\n\n\n\n
\u9ed1\u540d\u5355\u8fc7\u6ee4<\/h4>\n\n\n\n
\/\/ \u68c0\u6d4b\u7528\u6237\u8f93\u5165\u662f\u5426\u5b58\u5728\u654f\u611f\u5b57\u7b26\uff1a'\u3001;\u3001--\u3001+\u3001,\u3001%\u3001=\u3001>\u3001<\u3001*\u3001(\u3001)\u3001and\u3001or\u3001exeinsert\u3001select\u3001delete\u3001update\u3001count\u3001drop\u3001chr\u3001midmaster\u3001truncate\u3001char\u3001declare\npublic R safe3(String type,String id,String username,String password) {\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n    Statement stmt = conn.createStatement();\n    switch (type) {\n        case \"add\":\n            if (checkUserInput.checkSqlBlackList(username) || checkUserInput.checkSqlBlackList(password)) {\n                return R.error(\"\u9ed1\u540d\u5355\u68c0\u6d4b\u5230\u975e\u6cd5SQL\u6ce8\u5165!\");\n            } else {\n                sql = \"INSERT INTO users (username, password) VALUES ('\" + username + \"', '\" + password + \"')\";\n                rowsAffected = stmt.executeUpdate(sql);\n                ...\n        case \"delete\":\n            if (checkUserInput.checkSqlBlackList(id)) {\n                return R.error(\"\u9ed1\u540d\u5355\u68c0\u6d4b\u5230\u975e\u6cd5SQL\u6ce8\u5165!\");\n            } else {\n                sql = \"DELETE FROM users WHERE id = '\" + id + \"'\";\n                rowsAffected = stmt.executeUpdate(sql);\n                ...\n        case \"update\":\n            if (checkUserInput.checkSqlBlackList(id) || checkUserInput.checkSqlBlackList(username) || checkUserInput.checkSqlBlackList(password)) {\n                return R.error(\"\u9ed1\u540d\u5355\u68c0\u6d4b\u5230\u975e\u6cd5SQL\u6ce8\u5165!\");\n            } else {\n                sql = \"UPDATE users SET password = '\" + password + \"', username = '\" + username + \"' WHERE id = '\" + id + \"'\";\n                rowsAffected = stmt.executeUpdate(sql);\n                ...\n        case \"select\":\n            if (checkUserInput.checkSqlBlackList(id)) {\n                return R.error(\"\u9ed1\u540d\u5355\u68c0\u6d4b\u5230\u975e\u6cd5SQL\u6ce8\u5165!\");\n            } else {\n                sql = \"SELECT * FROM users WHERE id  = \" + id;\n                ResultSet rs = stmt.executeQuery(sql);\n                ...\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u5bf9\u4e8e\u6570\u5b57\u578b\u67e5\u8be2\uff0c\u5f3a\u5236\u7c7b\u578b\u8f6c\u6362<\/h4>\n\n\n\n
\/\/ \u5f3a\u5236\u7c7b\u578b\u8f6c\u6362 \u5bf9\u7528\u6237\u8bf7\u6c42\u53c2\u6570\u8fdb\u884c\u6821\u9a8c\npublic R safe4(Integer id) {\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n    Statement stmt = conn.createStatement();\n    message = checkUserInput.checkUser(id);\n    if (!message.isEmpty()) return R.error(message);\n    sql = \"SELECT * FROM users WHERE id  = \" + id;\n    ResultSet rs = stmt.executeQuery(sql);\n    ...\n}\n<\/code><\/pre>\n\n\n\n
\u91c7\u7528ESAPI\u8fc7\u6ee4<\/font><\/h4>\n\n\n\n
\n
ESAPI\uff08Enterprise Security API\uff09\u662f OWASP\uff08\u5f00\u653e\u5f0f Web \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u9879\u76ee\uff09\u63a8\u51fa\u7684\u5f00\u6e90\u5b89\u5168\u5de5\u5177\u5e93<\/p>\n\n\n\n
\u5b83\u662f\u4e00\u5957 \u201c\u5b89\u5168\u901a\u7528\u65b9\u6cd5\u96c6\u201d\uff0c\u5c01\u88c5\u4e86 Web \u5e94\u7528\u5f00\u53d1\u4e2d\u5e38\u89c1\u7684\u5b89\u5168\u9632\u62a4\u903b\u8f91\uff08\u5982\u8f93\u5165\u9a8c\u8bc1\u3001XSS \u8fc7\u6ee4\u3001SQL \u6ce8\u5165\u9632\u62a4\u3001\u52a0\u5bc6\u7b49\uff09\uff1b<\/p>\n\n\n\n
\u652f\u6301 Java\u3001.NET\u3001Python \u7b49\u591a\u8bed\u8a00\uff0c\u5176\u4e2d Java \u7248\u672c\u6700\u6210\u719f\uff0c\u662f\u4f01\u4e1a\u7ea7\u5e94\u7528\u89e3\u51b3\u5b89\u5168\u6f0f\u6d1e\u7684\u5e38\u7528\u5de5\u5177\u3002<\/p>\n<\/blockquote>\n\n\n\n
\/\/ ESAPI\u63d0\u4f9b\u4e86\u591a\u79cd\u8f93\u5165\u9a8c\u8bc1API\uff0c\u63d0\u4f9b\u5bf9XSS\u653b\u51fb\u548cSQL\u6ce8\u5165\u653b\u51fb\u7b49\u7684\u9632\u62a4\npublic R safe4(String id) {\n    Codec<Character> oracleCodec = new OracleCodec();\n    Class.forName(\"com.mysql.cj.jdbc.Driver\");\n    Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPass);\n\n    Statement stmt = conn.createStatement();\n    \/\/ \u4f7f\u7528\u4e86 Oracle \u7684\u7f16\u89e3\u7801\u5668 OracleCodec \u548c ESAPI \u5e93\u6765\u5bf9 ID \u8fdb\u884c\u7f16\u7801\uff0c\u4ee5\u9632\u6b62 SQL \u6ce8\u5165\u653b\u51fb\u3002\n    String sql = \"select * from sqli where id = '\" + ESAPI.encoder().encodeForSQL(oracleCodec, id) + \"'\";\n    \/\/ String sql = \"select * from sqli where id = '\" + id + \"'\";\n    String sql = \"select * from users where id = '\" + id + \"'\";\n    ResultSet rs = stmt.executeQuery(sql);\n}\n<\/code><\/pre>\n\n\n\n
Mybatis<\/h2>\n\n\n\n
\n
MyBatis \u662f\u4e00\u6b3e\u534a\u81ea\u52a8 ORM\uff08\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\uff09\u6846\u67b6\uff0c\u4e5f\u662f Java \u751f\u6001\u4e2d\u4e3b\u6d41\u7684\u6301\u4e45\u5c42\u6846\u67b6\uff1a<\/p>\n\n\n\n
\u6838\u5fc3\u5b9a\u4f4d\uff1a\u5c01\u88c5\u539f\u751f JDBC\uff0c\u89e3\u51b3 \u201cSQL \u4e0e\u4ee3\u7801\u8026\u5408\u3001\u7ed3\u679c\u624b\u52a8\u6620\u5c04\u201d \u7684\u75db\u70b9\uff1b<\/p>\n\n\n\n
\u6838\u5fc3\u7279\u70b9\uff1aSQL \u8bed\u53e5\u4e0e Java \u4ee3\u7801\u5206\u79bb\uff08\u5199\u5728 XML \/ \u6ce8\u89e3\u91cc\uff09\uff0c\u81ea\u52a8\u5b8c\u6210 \u201cSQL \u7ed3\u679c\u2192Java \u5bf9\u8c61\u201d \u7684\u6620\u5c04\uff0c\u5e95\u5c42\u4ecd\u57fa\u4e8e JDBC \u7684 PreparedStatement \u5b9e\u73b0\uff0c\u5929\u751f\u652f\u6301\u9632 SQL \u6ce8\u5165\u3002<\/p>\n<\/blockquote>\n\n\n\n
\u5b89\u5168\u4ee3\u7801-\u539f\u751f\u5199\u6cd5<\/h4>\n\n\n\n
\/\/ \u8fd9\u91cc\u4ee5\u589e\u52a0\u529f\u80fd\u4e3a\u4f8b\n\/\/ Controller\u5c42\npublic R safe1(\nswitch (type) {\n    case \"add\":\n        rowsAffected = sqliService.nativeInsert(new Sqli(id, username, password));\n        message = (rowsAffected > 0) ? \"\u6570\u636e\u63d2\u5165\u6210\u529f username:\" + username + \" password:\" + password : \"\u6570\u636e\u63d2\u5165\u5931\u8d25\";\n        return R.ok(message);\n        ...\n}\n\/\/ Service\u5c42\n@Override\npublic int nativeInsert(Sqli user) {\n    return sqliMapper.insert(user);\n}\n\n\/\/ Mapper\u5c42\nint insert(T entity); \n<\/code><\/pre>\n\n\n\n
\u5b89\u5168\u4ee3\u7801-\u81ea\u5b9a\u4e49\u65b9\u6cd5<\/h4>\n\n\n\n
\/\/ \u8fd9\u91cc\u4ee5\u589e\u52a0\u529f\u80fd\u4e3a\u4f8b\n\/\/ Controller\u5c42\npublic R safe2( \nswitch (type) {\n    case \"add\":\n        \/\/\u8fd9\u91cc\u63d2\u5165\u6570\u636e\u4f7f\u7528MyBatiX\u63d2\u4ef6\u751f\u6210\u7684\u65b9\u6cd5\n        rowsAffected = sqliService.customInsert(new Sqli(id, username, password));\n        message = (rowsAffected > 0) ? \"\u6570\u636e\u63d2\u5165\u6210\u529f username:\" + username + \" password:\" + password : \"\u6570\u636e\u63d2\u5165\u5931\u8d25\";\n        return R.ok(message);\n        ...\n}\n\/\/ Service\u5c42\n\/\/\u81ea\u5b9a\u4e49SQL-\u4f7f\u7528#{}\n@Override\npublic int customInsert(Sqli user) {\n    return sqliMapper.customInsert(user);\n}\n\n\/\/ Mapper\u5c42\n<insert id=\"customInsert\">\n    insert into sqli (id,username,password) values (#{id,jdbcType=INTEGER},#{username,jdbcType=VARCHAR},#{password,jdbcType=VARCHAR})\n<\/insert>\n<\/code><\/pre>\n\n\n\n
Order By\u4e0b\u7684\u6ce8\u5165<\/h3>\n\n\n\n
\u7531\u4e8e\u4f7f\u7528#{}\u4f1a\u5c06\u5bf9\u8c61\u8f6c\u6210\u5b57\u7b26\u4e32\uff0c\u6bd4\u5982select user order by aa\u4f1a\u88ab#{}\u8f6c\u6362\u4e3aselect user order by “aa”\uff0c\u6570\u636e\u5e93\u4e0d\u652f\u6301\u8fd9\u79cd\u67e5\u8be2\u65b9\u6cd5\u4f1a\u62a5\u9519\uff0c\u56e0\u6b64\u5f88\u591a\u7814\u53d1\u4f1a\u91c7\u7528${}\u6765\u89e3\u51b3\uff0c\u4ece\u800c\u9020\u6210\u6ce8\u5165\u3002<\/font><\/p>\n\n\n\n
\/\/ Controller\u5c42\npublic R special1OrderBy() {\n  List<Sqli> sqlis = new ArrayList<>();\n  switch (type) {\n      case \"raw\":\n          sqlis = sqliService.orderByVul(field);\n          break;\n      case \"prepareStatement\":\n          sqlis = sqliService.orderByPrepareStatement(field);\n          break;\n      case \"writeList\":\n          sqlis = sqliService.orderByWriteList(field);\n      ...\n\/\/ Service\u5c42\n\/\/\u81ea\u5b9a\u4e49SQL-\u4f7f\u7528#{}\n@Override\npublic List<Sqli> orderByVul(String field) {\n    return sqliMapper.orderByVul(field);\n}\n@Override\npublic List<Sqli> orderByPrepareStatement(String field) {\n    return sqliMapper.orderByPrepareStatement(field);\n}\n@Override\npublic List<Sqli> orderByWriteList(String field) {\n    return sqliMapper.orderByWriteList(field);\n}\n\/\/ Mapper\u5c42\n<!--    Order by\u4e0b\u7684${}\u62fc\u63a5\u6ce8\u5165\u95ee\u9898-->\n<select id=\"orderByVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli\n    <if test=\"field != null and field != ''\">\n        ORDER BY ${field}\n    <\/if>\n<\/select>\n<!--    Order by\u4e0b\u7684#{}\u5199\u6cd5 \u6392\u5e8f\u4e0d\u751f\u6548-->\n<select id=\"orderByPrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli\n    <if test=\"field != null and field != ''\">\n        ORDER BY #{field}\n    <\/if>\n<\/select>\n<!--    Order by\u4e0b\u7684\u5b89\u5168\u5199\u6cd5 \u767d\u540d\u5355-->\n<select id=\"orderByWriteList\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli\n    <if test=\"field != null and field != ''\">\n        <choose>\n            <!-- \u6392\u5e8f\u5217\u540d\u767d\u540d\u5355 -->\n            <when test=\"field == 'id' or field == 'username' or field == 'password'\">\n                ORDER BY ${field}\n            <\/when>\n            <otherwise>\n                <!-- \u9ed8\u8ba4\u4f7f\u7528id\u8fdb\u884c\u6392\u5e8f -->\n                ORDER BY id\n            <\/otherwise>\n        <\/choose>\n    <\/if>\n<\/select>\n<\/code><\/pre>\n\n\n\n
in\u4e4b\u540e\u591a\u4e2aid\u67e5\u8be2\u65f6\u4f7f\u7528#\u540c\u6837\u4f1a\u62a5\u9519\uff0c\u4ece\u800c\u9020\u6210\u6ce8\u5165\u3002<\/font><\/h3>\n\n\n\n
\u5047\u8bbe\u8981\u67e5\u8be2<font style=\"color:rgb(0, 0, 0);background-color:rgba(0, 0, 0, 0);\">id IN (1,2,3)<\/font><\/code>\uff0c\u82e5\u76f4\u63a5\u7528<font style=\"color:rgb(0, 0, 0);background-color:rgba(0, 0, 0, 0);\">#{ids}<\/font><\/code>\u63a5\u6536\u591a\u4e2a ID\uff08\u6bd4\u5982\u4f20\u5165\u5b57\u7b26\u4e32<font style=\"color:rgb(0, 0, 0);background-color:rgba(0, 0, 0, 0);\">\"1,2,3\"<\/font><\/code>\uff09\uff0cMyBatis \u4f1a\u628a\u53c2\u6570\u5f53\u6210**\u5355\u4e2a\u5b57\u7b26\u4e32<\/font>**\u5904\u7406\uff0c\u81ea\u52a8\u52a0\u5f15\u53f7\uff0c\u6700\u7ec8\u751f\u6210\u9519\u8befSQL<\/p>\n\n\n\n
\/\/ Controller\u5c42\npublic R special3In(String type,String scope) {\n  switch (type) {\n      case \"raw\":\n          sqlis = sqliService.inVul(scope);\n          break;\n      case \"prepareStatement\":\n          sqlis = sqliService.inPrepareStatement(scope);\n          break;\n      case \"Foreach\":\n\n          sqlis = sqliService.inSafeForeach(parseInputToList(scope));\n          break;\n  ...\n\/\/ Service\u5c42\n@Override\npublic List<Sqli> inVul(String scope) {\n    return sqliMapper.inVul(scope);\n}\n@Override\npublic List<Sqli> inPrepareStatement(String scope) {\n    return sqliMapper.inPrepareStatement(scope);\n}\n@Override\npublic List<Sqli> inSafeForeach(List<Integer> scope) {\n    return sqliMapper.inSafeForeach(scope);\n}\n\/\/ Mapper\u5c42\n<select id=\"inVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    select * from sqli where id in (${id})\n<\/select>\n\n<select id=\"inPrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    select * from sqli where id in (#{id})\n<\/select>\n<select id=\"inSafeForeach\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli WHERE id IN\n    <foreach collection=\"scope\" item=\"id\" open=\"(\" separator=\",\" close=\")\">\n        #{id}\n    <\/foreach>\n<\/select>\n<\/code><\/pre>\n\n\n\n
\u4f7f\u7528%\u548c\u6a21\u7cca\u67e5\u8be2-like<\/font><\/h3>\n\n\n\n
\u6a21\u7cca\u67e5\u8be2\u9700\u8981\u62fc\u63a5%<\/code>\uff08\u5982%\u5f20\u4e09%<\/code>\uff09\uff0c\u82e5\u76f4\u63a5\u5728#{}<\/code>\u4e2d\u4f20\u5165\u5e26%<\/code>\u7684\u53c2\u6570\uff0c\u6216\u76f4\u63a5\u5199#{keyword<\/code>\uff0c\u4f1a\u56e0\u53c2\u6570\u88ab\u52a0\u5f15\u53f7\u5bfc\u81f4\u8bed\u6cd5 \/ \u903b\u8f91\u9519\u8bef\uff0c<\/p>\n\n\n\n
select id from user where name like %\"zhangsan\"%;\n<\/code><\/pre>\n\n\n\n
\/\/ Controller\u5c42\npublic R special1OrderBy() {\n@PostMapping(\"\/special2-Like\")\npublic R special2Like(String type,String keyword) {\n    List<Sqli> sqlis = new ArrayList<>();\n    switch (type) {\n        case \"raw\":\n            sqlis = sqliService.likeVul(keyword);\n            break;\n        case \"prepareStatement\":\n            sqlis = sqliService.likePrepareStatement(keyword);\n            break;\n    ...\n\/\/ Service\u5c42\n@Override\npublic List<Sqli> orderByWriteList(String field) {\n    return sqliMapper.orderByWriteList(field);\n}\n@Override\npublic List<Sqli> likeVul(String keyword) {\n    return sqliMapper.likeVul(keyword);\n}\n\/\/ Mapper\u5c42\n<!--  \u6a21\u7cca\u67e5\u8be2-->\n<select id=\"likeVul\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli WHERE username LIKE '%${keyword}%'\n<\/select>\n<select id=\"likePrepareStatement\" resultType=\"top.whgojp.modules.sqli.entity.Sqli\">\n    SELECT * FROM sqli WHERE username LIKE CONCAT('%', #{keyword}, '%')\n<\/select>\n<\/code><\/pre>\n\n\n\n
Hibernate<\/font><\/h2>\n\n\n\n
\u4f7f\u7528\u62fc\u63a5\u5199\u6cd5\u5bfc\u81f4SQL\u6ce8\u5165<\/h3>\n\n\n\n
public R vul1(@RequestParam String username) {\n    try {\n        String sql = \"SELECT * FROM sqli WHERE username = '\" + username + \"'\";\n        Object[] result = (Object[]) hibernateTemplate.execute(session ->\n                session.createNativeQuery(sql).uniqueResult()\n        );\n        message = \"\u67e5\u8be2\u6210\u529f\uff0c\u7528\u6237\u540d\uff1a\" + result[1] + \" \u5bc6\u7801\uff1a\" +result[2];\n        return R.ok(message);\n    } catch (Exception e) {\n        log.error(\"\u67e5\u8be2\u5931\u8d25\", e);\n        return R.error(e.getMessage());\n    }\n}\n<\/code><\/pre>\n\n\n\n
HQL\u67e5\u8be2\u62fc\u63a5\u5199\u6cd5\u5bfc\u81f4SQL\u6ce8\u5165<\/h3>\n\n\n\n
\n
HQL\uff08Hibernate Query Language\uff09\u662f Hibernate \u6846\u67b6\u63d0\u4f9b\u7684\u9762\u5411\u5bf9\u8c61\u7684\u67e5\u8be2\u8bed\u8a00<\/p>\n\n\n\n
\u6838\u5fc3\u7279\u70b9\uff1a\u64cd\u4f5c\u7684\u662fJava \u5b9e\u4f53\u7c7b\u548c\u5c5e\u6027\uff08\u800c\u975e\u6570\u636e\u5e93\u8868 \/ \u5b57\u6bb5\uff09\uff0c\u7531 Hibernate \u81ea\u52a8\u89e3\u6790\u4e3a\u539f\u751f SQL \u6267\u884c\uff1b<\/p>\n\n\n\n
\u5e95\u5c42\u4ecd\u57fa\u4e8e JDBC \u7684PreparedStatement\uff0c\u652f\u6301\u53c2\u6570\u7ed1\u5b9a\uff0c\u53ef\u9632\u6ce8\u5165\u3002<\/p>\n<\/blockquote>\n\n\n\n
public R vul2(@RequestParam String username) {\n    try {\n        String hql = \"FROM Sqli WHERE username = '\" + username + \"'\";\n        Sqli result = (Sqli) hibernateTemplate.execute(session ->\n                session.createQuery(hql).uniqueResult()\n        );\n        message = \"\u67e5\u8be2\u6210\u529f\uff0c\u7528\u6237\u540d\uff1a\" +result.getUsername()+ \" \u5bc6\u7801\uff1a\" +result.getPassword();\n        return R.ok(message);\n    } catch (Exception e) {\n        log.error(\"\u67e5\u8be2\u5931\u8d25\", e);\n        return R.error(e.getMessage());\n    }\n}\n<\/code><\/pre>\n\n\n\n
HQL\u67e5\u8be2\u53c2\u6570\u5316\u67e5\u8be2<\/h3>\n\n\n\n
public R safe(@RequestParam String username) {\n    try {\n        String hql = \"FROM Sqli WHERE username = :username\";\n        Sqli result = hibernateTemplate.execute(session ->\n                (Sqli) session.createQuery(hql)\n                        .setParameter(\"username\", username)\n                        .uniqueResult()\n        );\n        message = \"\u67e5\u8be2\u6210\u529f\uff0c\u7528\u6237\u540d\uff1a\" +result.getUsername()+ \" \u5bc6\u7801\uff1a\" +result.getPassword();\n        return R.ok(message);\n    } catch (Exception e) {\n        log.error(\"\u67e5\u8be2\u5931\u8d25\", e);\n        return R.error(e.getMessage());\n    }\n}\n<\/code><\/pre>\n\n\n\n
JPA<\/h2>\n\n\n\n
\n
JPA\uff08Java Persistence API\uff09\u662f Java \u5b98\u65b9\u5b9a\u4e49\u7684ORM\uff08\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\uff09\u89c4\u8303\uff08\u4e0d\u662f\u5177\u4f53\u6846\u67b6\uff09\uff1a<\/p>\n\n\n\n
\u6838\u5fc3\u5b9a\u4f4d\uff1a\u4e3a Java \u5bf9\u8c61\u4e0e\u6570\u636e\u5e93\u8868\u4e4b\u95f4\u7684\u6620\u5c04\u63d0\u4f9b\u7edf\u4e00\u6807\u51c6\uff0c\u89e3\u51b3\u4e0d\u540c ORM \u6846\u67b6\uff08\u5982 Hibernate\uff09API \u4e0d\u7edf\u4e00\u7684\u95ee\u9898\uff1b<\/p>\n\n\n\n
\u5e38\u89c1\u5b9e\u73b0\uff1aHibernate \u662f JPA \u6700\u4e3b\u6d41\u7684\u5b9e\u73b0\uff08JPA = \u89c4\u8303\uff0cHibernate = \u5b9e\u73b0\uff09\uff0c\u6b64\u5916\u8fd8\u6709 EclipseLink\u3001OpenJPA \u7b49\uff1b<\/p>\n\n\n\n
\u5e95\u5c42\u4ecd\u57fa\u4e8e JDBC \u7684PreparedStatement\uff0c\u5929\u751f\u652f\u6301\u53c2\u6570\u7ed1\u5b9a\u9632\u6ce8\u5165\u3002<\/p>\n<\/blockquote>\n\n\n\n
JPA-JPQL\u6ce8\u5165<\/font><\/h3>\n\n\n\n
\u4e5f\u662f\u4f7f\u7528\u4e86\u62fc\u63a5\u7684\u65b9\u6cd5\u6765\u6784\u9020SQL\u67e5\u8be2\u8bed\u53e5<\/p>\n\n\n\n
public R vul1(@RequestParam String username) {\n    try {\n        String jpql = \"SELECT s FROM Sqli s WHERE s.username = '\" + username + \"'\";\n        Query query = entityManager.createQuery(jpql);\n        List<Sqli> results = query.getResultList();\n        if (results == null || results.isEmpty()) {\n            return R.error(\"\u672a\u627e\u5230\u8bb0\u5f55\");\n        }\n        StringBuilder sb = new StringBuilder();\n        sb.append(\"\u67e5\u8be2\u6210\u529f\uff0c\u627e\u5230 \").append(results.size()).append(\" \u6761\u8bb0\u5f55\\n\");\n        message = sb.toString();\n        log.info(message);\n        return R.ok(message);\n    } catch (Exception e) {\n        String errorMsg = e.getMessage();\n        log.error(\"\u67e5\u8be2\u5931\u8d25: {}\", errorMsg, e);\n        return R.error(errorMsg);\n    }\n}\n<\/code><\/pre>\n\n\n\n
JPA-\u53c2\u6570\u5316\u67e5\u8be2<\/font><\/h3>\n\n\n\n
public R safe(@RequestParam String username) {\n    try {\n        String jpql = \"SELECT s FROM Sqli s WHERE s.username = :username\";\n        Query query = entityManager.createQuery(jpql)\n                .setParameter(\"username\", username);\n        List<Sqli> results = query.getResultList();\n        if (results == null || results.isEmpty()) {\n            return R.error(\"\u672a\u627e\u5230\u8bb0\u5f55\");\n        }\n        StringBuilder sb = new StringBuilder();\n        sb.append(\"\u67e5\u8be2\u6210\u529f\uff0c\u627e\u5230 \").append(results.size()).append(\" \u6761\u8bb0\u5f55\\n\");\n        message = sb.toString();\n        log.info(message);\n        return R.ok(message);\n    } catch (Exception e) {\n        String errorMsg = e.getMessage();\n        log.error(\"\u67e5\u8be2\u5931\u8d25: {}\", errorMsg, e);\n        return R.error(errorMsg);\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u603b\u7ed3<\/h2>\n\n\n\n
\u9488\u5bf9\u4e8eJAVA\u7a0b\u5e8f\u7684SQL<\/p>\n\n\n\n
\u9ed1\u76d2\uff1a\nFUZZ\u6d4b\u8bd5\n\u6570\u636e\u4ea4\u4e92\u70b9\u6d4b\u8bd5\n\u6b63\u5e38\u53d1\u73b0\u548c\u5229\u7528\u5373\u53ef\n\u767d\u76d2\uff1a\n1\u3001\u786e\u5b9a\u6570\u636e\u5e93\u901a\u8baf\u6280\u672f\n2\u3001\u786e\u5b9a\u7c7b\u578b\u540e\u627e\u8c03\u7528\u5199\u6cd5\n3\u3001\u786e\u5b9a\u5199\u6cd5\u662f\u5426\u5b89\u5168\uff08\u9884\u7f16\u8bd1\uff09\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
JDBC \u91c7\u7528Statement\u65b9\u6cd5\u62fc\u63a5SQL\u8bed\u53e5 prepareStatement\u91c7\u7528\u65b9\u6cd5\u62fc\u63a5SQL\u8bed\u53e5 P […]<\/p>\n","protected":false},"author":2,"featured_media":106,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","footnotes":""},"categories":[2],"tags":[],"class_list":["post-105","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-2"],"_links":{"self":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":1,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/105\/revisions"}],"predecessor-version":[{"id":107,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/105\/revisions\/107"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/media\/106"}],"wp:attachment":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/media?parent=105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/categories?post=105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/tags?post=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}