SQL 인젝션
DB와 연동된 web application에서 공격자가 조작된 질의문을 삽입해서 웹 서비스의 데이터베이스 정보를 열람/조작할 수 있는 취약점
ex)
SELECT * FROM USERS WHERE name='test' And password='123' or '1'='1'
Parameter Binding
출발지에서 목적지로 전송되는 정보다.
출발지에서 가져온 name과 value를 가지고 있다.
object key 또는 attribute values는 parameter binding에 의해 전달된다.
Spring Data JPA는 Parameter Binding을 사용한다.
예시)
String prepareStatementQuery="SELECT * FROM USERS WHERE name=? AND password=?";
PreparedStatement preparedStatement=connection.prepareStatement(prepareStatementQuery);
preparedStatement.setString(1, loginName);
preparedStatement.setString(2, loginPassword);
참고 👇
https://www.youtube.com/watch?v=qzas_-u4Nxk
Parameter Binding - an overview | ScienceDirect Topics
We demonstrated that the interstitial diffusive NP transport can be predicted using (a) NP–cell biointerface parameters (binding, association, dissociation, internalization) measured in monolayer cell cultures plus (b) NP diffusivity in tumor interstitiu
www.sciencedirect.com
https://docs.spring.io/spring-data/jpa/docs/current/reference/html/
Spring Data JPA - Reference Documentation
Example 109. Using @Transactional at query methods @Transactional(readOnly = true) interface UserRepository extends JpaRepository { List findByLastname(String lastname); @Modifying @Transactional @Query("delete from User u where u.active = false") void del
docs.spring.io
https://www.sciencedirect.com/topics/computer-science/parameter-binding
Parameter Binding - an overview | ScienceDirect Topics
We demonstrated that the interstitial diffusive NP transport can be predicted using (a) NP–cell biointerface parameters (binding, association, dissociation, internalization) measured in monolayer cell cultures plus (b) NP diffusivity in tumor interstitiu
www.sciencedirect.com
https://stackoverflow.com/questions/37436694/how-does-binding-parameters-prevent-sql-injection
How does Binding parameters prevent Sql Injection?
In PHP, I've found a few methods to prevent Sql Injection. Binding parameters is one of them. But I'm unable to find a complete explanation of how binding parameters actually prevent Sql Injection....
stackoverflow.com
'DB' 카테고리의 다른 글
| 재고시스템으로 알아보는 동시성이슈 해결방법 (0) | 2023.04.30 |
|---|---|
| Sharding (0) | 2022.10.17 |
| 인덱스 (0) | 2022.07.24 |
| [Error] ERR wrong number of arguments for 'zrangebyscore' command (0) | 2022.07.23 |
| [ERROR] java.sql.SQLException: Field 'title' doesn't have a default value (0) | 2021.11.21 |