java JDBC 安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1291584/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is JDBC secure?
提问by ZZ Coder
I am new to JDBC, and the new project require me to use JDBC. What I want to know is,
我是JDBC新手,新项目要求我使用JDBC。我想知道的是,
is the JDBC secure?
JDBC 安全吗?
How to prevent "Mysql Injection"-like problem?
如何防止“Mysql 注入”之类的问题?
What are the security issues that I need to pay attention when I use JDBC?
使用JDBC需要注意哪些安全问题?
And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?
以及如何确保,我的意思是优化安全性,以防止黑客入侵数据库?
EDIT:
编辑:
I tried google, if I google:
我试过谷歌,如果我谷歌:
"php mysql security problems" => it gives a lot of result
“php mysql 安全问题” => 它给出了很多结果
if I google:
如果我谷歌:
"jdbc mysql security problems" => hardly see any related pages
“jdbc mysql 安全问题” => 几乎看不到任何相关页面
Does it mean, using jdbc is secure? Dont need to worry about being hack?
这是否意味着,使用 jdbc 是安全的?不需要担心被黑客入侵?
回答by Emil H
Use prepared statements. For a hypothetical login you might use this, for example:
使用准备好的语句。对于假设登录,您可以使用它,例如:
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM member WHERE member_username = ? AND member_password = ?");
stmt.setString(1, username);
stmt.setString(2, password);
stmt.execute();
ResultSet rs = stmt.getResultSet();
// ...
This will completely shield you from SQL Injection vulnerabilities.
这将完全保护您免受 SQL 注入漏洞的影响。
回答by Stephen C
is the JDBC secure?
JDBC 安全吗?
The security of JDBC is a property of the JDBC driver that you use. In general, if your driver uses an SSL transport layer, it is as secure as the strength of your SSL keys. If it uses an unencrypted transport, it is not secure.
JDBC 的安全性是您使用的 JDBC 驱动程序的一个属性。通常,如果您的驱动程序使用 SSL 传输层,则它与 SSL 密钥的强度一样安全。如果它使用未加密的传输,则不安全。
How to prevent "Mysql Injection"-like problem?
如何防止“Mysql 注入”之类的问题?
When you compose an SQL query for JDBC, be careful not to incorporate 'raw' strings that might contain embedded SQL. For example:
为 JDBC 编写 SQL 查询时,请注意不要合并可能包含嵌入式 SQL 的“原始”字符串。例如:
String query = "SELECT * FROM SOME_TABLE WHERE X = '" + someString + "' ;";
If someString contains an unescaped "'" character, what you intend to be an SQL literal string could actually be changed into something completely different. The fix is to either reject someStringif it contains any "'" characters (or other nasties), or preprocess it with a method that inserts SQL string escapes.
如果 someString 包含未转义的 "'" 字符,则您打算成为 SQL 文字字符串的内容实际上可以更改为完全不同的内容。解决方法是要么拒绝someString包含任何“'”字符(或其他讨厌的字符),要么使用插入 SQL 字符串转义符的方法对其进行预处理。
Another (simpler / more reliable / more secure) approach is to use a PreparedStatementwith "?" placeholders and inject the values into the query using setString(...)etc. With a PreparedStatement, the JDBC driver is guaranteed to use appropriate quoting and escaping to prevent SQL injection.
另一种(更简单/更可靠/更安全)的方法是使用PreparedStatement带“?” 占位符并使用setString(...)etc.将值注入到查询中。使用PreparedStatement,JDBC 驱动程序保证使用适当的引用和转义来防止 SQL 注入。
What are the security issues that I need to pay attention when I use JDBC?
使用JDBC需要注意哪些安全问题?
Apart from the above, I don't know of anything specific to JDBC. Indeed neither of the above issues is specific to JDBC.
除了上述内容,我不知道任何特定于 JDBC 的内容。事实上,上述问题都不是特定于 JDBC 的。
And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?
以及如何确保,我的意思是优化安全性,以防止黑客入侵数据库?
- Buy / read a good book on building secure systems.
- Be careful.
- Pay for a security expert to audit your code / system.
- 购买/阅读一本关于构建安全系统的好书。
- 当心。
- 支付安全专家来审核您的代码/系统。
回答by ZZ Coder
JDBC is a database connection protocol, it's as secure as all other means to connect to database.
JDBC 是一种数据库连接协议,它与连接数据库的所有其他方式一样安全。
Most secure issues have nothing to do with JDBC protocol itself. For example, you can minimize the risk of SQL Injection by using Prepared Statement. This will be true regardless how you connect to the database.
大多数安全问题与 JDBC 协议本身无关。例如,您可以通过使用 Prepared Statement 将 SQL 注入的风险降至最低。无论您如何连接到数据库,这都是正确的。
回答by James Anderson
JDBC is purely the transport between your program and the database.
JDBC 纯粹是您的程序和数据库之间的传输。
It is reasonably secure in as much as the sign on protocol is not vulnerable to network sniffing, and, it is very, very difficult to inject anything into the network traffic.
它是相当安全的,因为登录协议不易受到网络嗅探的影响,并且很难将任何内容注入网络流量。
However JDBC merely transports your SQL to the database and returns the resulting dataset. If your program is vulerable to SQL injection it will be vulnerable whether you are using a direct connection, odbc or jdbc.
然而,JDBC 只是将您的 SQL 传输到数据库并返回结果数据集。如果您的程序容易受到 SQL 注入的攻击,那么无论您使用的是直接连接、odbc 还是 jdbc,它都会受到攻击。
The only way to really protect yourself against sql injection is to use prepared statements with "?" type place holders for user input. Never string together SQL statements using unsecure input (this includes both direct user input, and data from a table that was input by a user).
真正保护自己免受 sql 注入的唯一方法是使用带有“?”的准备好的语句。为用户输入键入占位符。切勿使用不安全的输入(这包括直接用户输入和用户输入的表中的数据)将 SQL 语句串在一起。
回答by Winston Chen
Or you can use the utility method: "org.apache.commons.lang.StringEscapeUtils.escapeSql(java.lang.String str)" to prevent sql-injection from happening.
或者您可以使用实用方法:“ org.apache.commons.lang.StringEscapeUtils.escapeSql(java.lang.String str)”来防止发生sql注入。
String sanitation is always be best policy to prevent sql-injection or cross-site-scripting attacks.
字符串卫生始终是防止 sql 注入或跨站点脚本攻击的最佳策略。
回答by ZeroCool
Always use field validators, matching some specific regular expressions rules before passing anything to the DB acceess api.
始终使用字段验证器,在将任何内容传递给 DB accessess api 之前匹配一些特定的正则表达式规则。
