本例采用JSP+Servlet+Mysql:
1. 数据库:
数据库名:sqlinject
CREATE DATABASE sqlinject;
建user表:
Table: userCreate Table: CREATE TABLE `user` ( `id` int(11) NOT NULL AUTO_INCREMENT, `name` varchar(20) NOT NULL, `sex` varchar(20) DEFAULT NULL, PRIMARY KEY (`id`)) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8
表中一些记录:
mysql> select * from user;+----+--------+------+| id | name | sex |+----+--------+------+| 1 | benson | m || 2 | jerry | f || 3 | Mike | m || 4 | Jenny | f || 5 | Rose | f |+----+--------+------+5 rows in set (0.00 sec)
JSP页面和Servlet:
1.index.jsp:负责接受用户的输入(输入用户名和选择性别)
<%@ page contentType="text/html; charset=UTF-8" %><html> <head> <title>SQL注入测试</title> </head> <body> <form action="query.do"> 姓名:<input type="text" name="name"><br/> 性别:<select name="sex"> <option value="m">男</option> <option value="f">女</option> </select> <br/> <input type="submit" value="搜索"/> </form> </body></html>
QueryServlet处理类:
package zjut.tsw.servlet;import java.io.IOException;import java.sql.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;import java.util.ArrayList;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import zjut.tsw.vo.User;public class QueryServlet extends HttpServlet { /** * */ private static final long serialVersionUID = 1L; ArrayList<User> users = null; public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.setCharacterEncoding("utf-8"); response.setContentType("text/html;charset=utf-8"); // 获取姓名和性别 String name = request.getParameter("name"); String sex = request.getParameter("sex"); // debug System.out.println("name is:" + name + "\nsex is:" + sex); users = query(name, sex); request.setAttribute("users", users); request.getRequestDispatcher("/query.jsp").forward(request, response); return; } public ArrayList<User> query(String name, String sex) { Connection conn = getConnection(); if(conn == null) System.out.println("conn is null"); Statement stmt = null; ResultSet rs = null; String sql = "select * from user where" + " sex='" + sex + "' and name='" + name + "'"; // debug System.out.println(sql); ArrayList<User> users = new ArrayList<User>(); // 保存用户 try { stmt = conn.createStatement(); rs = stmt.executeQuery(sql); while (rs.next()) { User user = new User(); user.setName(rs.getString("name")); user.setSex(rs.getString("sex")); users.add(user); } return users; } catch (SQLException e) { e.printStackTrace(); return null; } } // connect to db public static Connection getConnection() { Connection conn = null; try { Class.forName("com.mysql.jdbc.Driver"); conn = DriverManager.getConnection( "jdbc:mysql://localhost:3306/sqlinject", "root", "root"); return conn; } catch (ClassNotFoundException cnfe) { cnfe.printStackTrace(); return null; } catch (SQLException e) { e.printStackTrace(); return null; } }}VO:User
package zjut.tsw.vo;public class User { public String getName() { return name; } public void setName(String name) { this.name = name; } public String getSex() { return sex; } public void setSex(String sex) { this.sex = sex; } private String name; private String sex; @Override public String toString() { return "username is:" + name + "sex is:" + sex; }}结果页面 query.jsp
<%@ page contentType="text/html; charset=UTF-8"%><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><html><head><title>查询结果</title></head><body> <c:forEach items="${users}" var="user"> 姓名:${user.name },性别${user.sex }<br/> </c:forEach></body></html>web.xml
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <servlet> <servlet-name>QueryServlet</servlet-name> <servlet-class>zjut.tsw.servlet.QueryServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>QueryServlet</servlet-name> <url-pattern>/query.do</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list></web-app>
界面效果:
登录界面:
SQL注入:
结果:
这里在姓名输入框里输入了 ' or 'hack'='hack (hack名字是随意取的)
在地址栏中,%27代表单引号,+号代表一个空格,%3D代表=号,可以用JAVA的URLEncoder类和URLDecoder类进行转换
所有的记录都被查询出来了。
看下MyEclipse打印的SQL调试语句:
name is:' or 'hack'='hacksex is:mselect * from user where sex='m' and name='' or 'hack'='hack'
Over...
- 5楼z11013853911小时前
- PreparedStatement pst=conn.PreparedStatment(sql);npst.SetString(n,xxx)n```````````````n楼主的例子是最经典的sql注入例子
- 4楼csh6243661889小时前
- 这种问题该怎么解决呢?
- 3楼imfam520昨天 19:22
- 1、不用数据库n2、使用一个存储过程n3、过滤非法字符
- 2楼sushengmiyan昨天 18:27
- 不错
- 1楼woshimaijunjinzhen昨天 17:57
- 最经典的sql注入例子,一般都是用PreparedStatment,不自己拼接字符串