快樂的 想飛 就飛

SQL Injection Description
SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically
construct a SQL query.  This allows an attacker to manipulate database queries in order to access, modify, or delete arbitrary data.  Depending on the platform, database type, and configuration, it may also be possible to execute administrative operations on the database, access the filesystem, or execute arbitrary system commands.  SQL injection attacks can also be used to subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application.

再瀏覽一下VeraCode對如何解決這個問題的建議：

Several techniques can be used to prevent SQL injection attacks. These techniques complement each other and address
security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood
of a SQL injection vulnerability.
Use parameterized prepared statements rather than dynamically constructing SQL queries.  This will prevent the
database from interpreting the contents of bind variables as part of the query and is the most effective defense against
SQL injection.
*
Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using
centralized data validation routines when possible.
*
Normalize all user-supplied data before applying filters or regular expressions, or submitting the data to a database. This
means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the
internal character representation expected by the application. This prevents attackers from using alternate encoding
schemes to bypass filters.
*
When using database abstraction libraries such as Hibernate, do not assume that all methods exposed by the API will
automatically prevent SQL injection attacks.  Most libraries contain methods that pass arbitrary queries to the database in an unsafe manner.

2)因為PrepareSQLStatement只支持標準的SQL，對于某些數據庫廠商中中特殊的SQL語句，比如"init device xxxx"等就無能為力了。
這是我們可以使用java.text.MessageFormat.format(query, params)來填充SQL的參數。


   3)Veracode會檢測傳入SQL的變量是否存在安全隱患(比如是否從文件中讀取的，或者是否從注冊表里讀取的)，這種情況需要重新定義1個變量，然后將其傳入SQL語句中，看如下例子

    這里，instance是一個已經存在的對象，如果它的變量是從文件中讀取的或者是依賴于程序外部的值，Veracode就認為存在安全隱患，因此我們需要做如下的調整：
                
    其中，FileUtil.removeControlCharacter（）的作用是刪除String變量中的控制符，目的就是對原有的String變量進行一次過濾后，賦值給新的變量，然后再傳給SQL語句。