My java code for SQL Query is
我的SQL Query的java代码是
String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";
I have tried out name= a'); DROP TABLE users; -- as well as place =a'); DROP TABLE users; --
我试过了name = a'); DROP TABLE用户; - 以及place = a'); DROP TABLE用户; -
but it returns an Ecxeption as below
但它返回Ecxeption如下
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE users; --','chennai')' at line 1
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:SQL语法中有错误;检查与您的MySQL服务器版本对应的手册,以便在'DROP TABLE用户附近使用正确的语法; - ','chennai')'在第1行
Note: when i tried the same in mysql command line. It worked!!!! i don't know what happens in jdbc
注意:当我在mysql命令行中尝试相同时。有效!!!!我不知道jdbc会发生什么
3 个解决方案
#1
2
The real problem is actually JDBC, it only allows one sql if you dont tell it otherwise. Look at this question for more info:
真正的问题实际上是JDBC,如果你不告诉它,它只允许一个sql。请查看此问题以获取更多信息:
Multiple queries executed in java in single statement
在单个语句中用java执行多个查询
But also i would try this instead, name =
但我也会尝试这个,名字=
a',''); DROP TABLE users; --
Since you specificed 3 columns in your insert:
由于您在插入中指定了3列:
(id,name,place)
You need to provide 3 values for the sql to be valid, not just 2.
您需要为sql提供3个值才有效,而不仅仅是2。
Also you can sent the text null, sending a java null value is not necessary and i am not even sure how that works. I think this might be better:
你也可以发送文本null,发送一个java null值是没有必要的,我甚至不知道这是如何工作的。我认为这可能会更好:
String sqlSt="INSERT INTO users(id,name,place) values (null,'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";
#2
0
Instead of null, use an empty string ''
而不是null,使用空字符串''
String sqlSt = "INSERT INTO users(id, name, place) values ('', '" + request.getParameter("name") + "', '" + request.getParameter("place") + "');";
It's better to use prepared statements to avoid confusion.
最好使用准备好的语句来避免混淆。
String sqlSt = "INSERT INTO users(id, name, place) values ('', ?, ?)";
PreparedStatement ps = null;
try {
ps = connection.prepareStatement(query);
ps.setString(1, request.getParameter("name"));
ps.setString(2, request.getParameter("place"));
ps.executeUpdate();
} catch (Exception e) {
e.printStackTrace();
} finally {
ps.close();
}
#3
0
The real problem is with your Query. It is better to use a PreparedStatement for executing a query. Your Code should be :
真正的问题在于您的查询。最好使用PreparedStatement来执行查询。您的准则应该是:
String sqlSt="INSERT INTO users(id,name,place) values (?,?,?)";
PreparedStatement pstmt = null;
try{
pstmt = dbConnection.prepareStatement(sqlSt);
pstmt.setString(1,null);
pstmt.setString(2,request.getParameter("name"));
pstmt.setString(3,request.getParameter("place"));
pstmt.executeUpdate();
}catch (Exception e) {
e.printStackTrace();
} finally {
pstmt.close();
}
If you don't want to use a PreparedStatement, just remove last ; from your query. So your query will be :
如果您不想使用PreparedStatement,只需删除last;来自您的查询。所以你的查询将是:
String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"')";
#1
2
The real problem is actually JDBC, it only allows one sql if you dont tell it otherwise. Look at this question for more info:
真正的问题实际上是JDBC,如果你不告诉它,它只允许一个sql。请查看此问题以获取更多信息:
Multiple queries executed in java in single statement
在单个语句中用java执行多个查询
But also i would try this instead, name =
但我也会尝试这个,名字=
a',''); DROP TABLE users; --
Since you specificed 3 columns in your insert:
由于您在插入中指定了3列:
(id,name,place)
You need to provide 3 values for the sql to be valid, not just 2.
您需要为sql提供3个值才有效,而不仅仅是2。
Also you can sent the text null, sending a java null value is not necessary and i am not even sure how that works. I think this might be better:
你也可以发送文本null,发送一个java null值是没有必要的,我甚至不知道这是如何工作的。我认为这可能会更好:
String sqlSt="INSERT INTO users(id,name,place) values (null,'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";
#2
0
Instead of null, use an empty string ''
而不是null,使用空字符串''
String sqlSt = "INSERT INTO users(id, name, place) values ('', '" + request.getParameter("name") + "', '" + request.getParameter("place") + "');";
It's better to use prepared statements to avoid confusion.
最好使用准备好的语句来避免混淆。
String sqlSt = "INSERT INTO users(id, name, place) values ('', ?, ?)";
PreparedStatement ps = null;
try {
ps = connection.prepareStatement(query);
ps.setString(1, request.getParameter("name"));
ps.setString(2, request.getParameter("place"));
ps.executeUpdate();
} catch (Exception e) {
e.printStackTrace();
} finally {
ps.close();
}
#3
0
The real problem is with your Query. It is better to use a PreparedStatement for executing a query. Your Code should be :
真正的问题在于您的查询。最好使用PreparedStatement来执行查询。您的准则应该是:
String sqlSt="INSERT INTO users(id,name,place) values (?,?,?)";
PreparedStatement pstmt = null;
try{
pstmt = dbConnection.prepareStatement(sqlSt);
pstmt.setString(1,null);
pstmt.setString(2,request.getParameter("name"));
pstmt.setString(3,request.getParameter("place"));
pstmt.executeUpdate();
}catch (Exception e) {
e.printStackTrace();
} finally {
pstmt.close();
}
If you don't want to use a PreparedStatement, just remove last ; from your query. So your query will be :
如果您不想使用PreparedStatement,只需删除last;来自您的查询。所以你的查询将是:
String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"')";