//阻止SQL注入的好代码 字符串查询=“SELECT id FROM users WHERE userid=?”; PreparedStatement语句=con.prepareStatement(查询); stmt.setString(1,用户ID); 结果集rs=stmt.executeQuery();
//仍然易受SQL注入攻击的坏代码 字符串查询=“SELECT id FROM users WHERE userid='”+userid=“'”; PreparedStatement语句=con.prepareStatement(查询); 结果集rs=stmt.executeQuery();
http://cwe.mitre.org/top25/#cwe -89 http://blogs.zdnet.com/security/?p=1059 http://securitylabs.websense.com/content/Alerts/3070.aspx http://www.f-secure.com/weblog/archives/00001427.html http://www.techcrunch.com/2009/12/14/rockyou-hacked/ http://www.techchrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords(http://www.techchrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords)/ http://www.owasp.org/index.php/类别:owasp_Enterprise_Security_API http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string