The core methods to prevent SQL injection include: 1. Use PreparedStatement precompiled statements to ensure that the input is processed as data; 2. Whitelist verification, length limit and special character escape of the input; 3. Use ORM frameworks such as Hibernate and MyBatis correctly to avoid splicing SQL; 4. Do not expose error information, scan for vulnerabilities regularly, and restrict database permissions. These measures jointly ensure the security of SQL for Java applications.

Preventing SQL Injection is a very basic but critical link in Java application security. While there are many frameworks available to help developers avoid this problem, it is still important to understand its principles and manual defense.

Use precompiled statements (PreparedStatement)

This is the most direct and effective way to prevent SQL injection. Unlike splicing strings to construct SQL queries, using PreparedStatement ensures that user input is processed as data rather than executable code.

For example:

 String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, username);
pstmt.setString(2, password);
ResultSet rs = pstmt.executeQuery();

In this way, even if the user enters something like ' OR '1'='1 , it will not affect the structure of SQL.

Note: Don't take it lightly just because you use the framework. Some old projects or custom encapsulation may still be spelling strings, so you need to pay special attention.

Checksum filter input

In addition to using precompiled statements, basic checks on user input are also an auxiliary means. for example:

• Whitelist verification: Only specific characters are allowed, such as usernames can only contain letters, numbers, and underscores.
• Length limit: For example, the password field cannot exceed 100 characters.
• Escape special characters: Although not as reliable as precompilation, it can be used as a supplementary measure in some scenarios.

For example:

 if (!username.matches("^[a-zA-Z0-9_]{3,20}$")) {
    throw new IllegalArgumentException("Username is illegal");
}

Of course, this approach cannot be completely dependent, but combined with other methods can enhance security.

Use ORM framework and configure it properly

Many modern Java frameworks, such as Hibernate, MyBatis, etc., have helped you deal with SQL injection problems by default. But only if you use them correctly.

for example:

• Use HQL or Criteria API in Hibernate, instead of native SQL.
• Using #{} instead of ${} in MyBatis, the latter can easily lead to injection risks.

Error Example (MyBatis):

 <select id="findUser" resultType="User">
    SELECT * FROM users WHERE username = &#39;${username}&#39;
</select>

This writing method will directly splice strings, which poses the risk of injection.

Correct writing:

 <select id="findUser" resultType="User">
    SELECT * FROM users WHERE username = #{username}
</select>

A few tips for daily development

• Don't splice SQL, no matter how simple it is.
• Don't expose error information directly to the front-end, such as database structure, stack information, etc.
• Do security scans regularly and use tools such as OWASP ZAP and SQLMap to test for vulnerabilities.
• Give database accounts the least permissions to avoid using root users to connect to the application.

Basically that's it. SQL injection may seem simple, but if you are not careful in actual development, you may leave hidden dangers.

The above is the detailed content of Java Security for SQL Injection Prevention. For more information, please follow other related articles on the PHP Chinese website!