通过使用如下所示的预准备语句,可以更可靠地防止SQL注入.如果你不能使用这种模式,第二种最好的方法是将"白名单"改为好的字符而不是"黑名单"的禁止字符.
.净
String query =
"SELECT account_balance FROM user_data WHERE user_name = ?";
try {
OleDbCommand command = new OleDbCommand(query, connection);
command.Parameters.Add(new OleDbParameter("custrName", CustName Name.Text));
OleDbDataReader reader = command.ExecuteReader();
// …
} catch (OleDbException se) {
// error handling
}
Java的
String custname = request.getParameter("customerName");
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
有关预准备语句和OWASP输入验证备忘单的更多示例,请参阅OWASP SQL注入预防备忘单,以了解有关白名单的更多信息,如果您完全设置在白名单/黑名单上.