避免 SQL injection

1. © 2016 Software Engineering Consortium
SQL的查詢陳述中注入惡意的程式片段造成資料的外洩或修改
假設系統使用下列SQL陳述查詢資料庫以判斷合法使用者
若有回傳任何結果，則表示認證成功，反之認證失敗
避免 SQL injection
1
SELECT * FROM db_user WHERE username='<USERNAME>' AND
password='<PASSWORD>'

2. © 2016 Software Engineering Consortium
假設惡意攻擊者可以任意輸入<USERNAME>與<PASSWORD>
透過修改下列<USERNAME>可成功通過認證檢查
透過修改下列<PASSWORD>可成功通過認證檢查
避免 SQL injection
2
SELECT * FROM db_user WHERE username='validuser' OR '1'='1' AND
password='<PASSWORD>'
validuser' OR '1'='1
SELECT * FROM db_user WHERE username='<USERNAME>' AND password='' OR
'1'='1'
' OR '1'='1

3. © 2016 Software Engineering Consortium
缺陷程式碼範例
避免 SQL injection
3
public void doPrivilegedAction(String username, char[] password)
throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// Handle error
}
try {
String pwd = hashPassword(password);
String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '"
+ pwd + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(sqlString);
// Authenticated; proceed
} finally {
try {
connection.close();
} catch (SQLException x) {
// Forward to handler
}
}}}

4. © 2016 Software Engineering Consortium
預防作法
PreparedStatement
避免 SQL injection
4
String sqlString =
"select * from db_user where username=? and password=?";
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString(1, username);
stmt.setString(2, pwd);
ResultSet rs = stmt.executeQuery();