当HTTP遇到SQL注入：Java开发者的攻防实战手册

一、从HTTP请求到数据库查询：漏洞如何产生？

危险的参数拼接：Servlet中的经典错误

漏洞代码重现：

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String category = request.getParameter("category");String sql = "SELECT * FROM products WHERE category='" + category + "'";try (Connection conn = dataSource.getConnection();Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery(sql)) {// 处理结果集} catch (SQLException e) {throw new ServletException(e);}
}

漏洞解析：

1. 攻击入口：直接从HttpServletRequest获取URL参数，未做任何过滤
2. SQL拼接：直接将用户输入拼接到SQL语句中
3. 攻击示例：当传入category=electronics' OR 1=1 -- 时，实际执行SQL变为：

   SELECT * FROM products WHERE category='electronics' OR 1=1 -- '
   

4. 漏洞影响：导致返回所有产品数据，造成信息泄露

预编译语句的正确使用姿势

修复方案代码：

private static final String SAFE_SQL = "SELECT * FROM products WHERE category=?";public List<Product> getProducts(String category)