我在一個教程中看到,為了在 JDBC 中模擬 SQL 注入攻擊實體,它在SQLite中用雙引號撰寫了以下陳述句,然后加載記錄。但是當我在oracle中用單引號寫相同的短語時,它會出錯。為什么?
//in main
System.out.println("Enter a title:");
DB.querySongArtistView(scanner.nextLine());
//in database class
private static final String QUERY_SONG_ARTIST_VIEW = "SELECT ARTIST , ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='";
public Optional<List<SongArtist>> querySongArtistView(String title) {
List<SongArtist> songArtistListView = null;
try (Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(QUERY_SONG_ARTIST_VIEW title "'")) {
songArtistListView = new ArrayList<>();
while (resultSet.next())
songArtistListView.add(new SongArtist(resultSet.getString(1),
resultSet.getString(2), resultSet.getInt(3)));
} catch (SQLException e) {
displayExceptionMessage(e);
}
return Optional.ofNullable(songArtistListView);
}
本教程作為輸入輸入的內容:
Go Your Own Way" or 1=1 or ";
我在 oracle 中的查詢:
Go Your Own Way' or 1=1 or ';
錯誤:
[42000][920] ORA-00920: invalid relational operator Position: 62
我希望作業但它沒有的查詢:
SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 1=1 or '';
uj5u.com熱心網友回復:
它抱怨這or ''部分 - 需要將空字串與某些東西進行比較(這有點棘手,因為 oracle 將其視為 null)。
它應該與以下內容一起使用:
Go Your Own Way' or 'X' = 'X
這會產生
SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 'X' = 'X';
至少這是有效的。
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/448740.html