본문 바로가기
Dev/DB

SQLInjection Test 실습

by 컴포넌트설계자 2026. 3. 9.

preparedStatement 가 SQLInjection 공격을 방어해준다.

package ex0309.db.dao;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

import ex0309.db.util.DbManager;
import ex0309.dto.Emp;



public class SqlInjectionTest {
	
	/**
	 * Statement인경우
	 *  select empno, ename,job, sal, hiredate from emp where sal > '2000'
	 * */
	public static void statementTest(String param) {
		Connection con =null;
		Statement st=null;
		ResultSet rs=null;
		String sql="select empno, ename, sal, hiredate from emp where sal > " + param +" order by sal";
		try {
			con = DbManager.getConnection();
			st = con.createStatement();
			rs = st.executeQuery(sql);
			
			while(rs.next()) {
				Emp emp = new Emp(rs.getInt(1), rs.getString(2),rs.getInt(3), rs.getString(4));
				
				System.out.println(emp);//emp.toString()
			}
			
		}catch (Exception e) {
			e.printStackTrace();
		}finally {
			DbManager.dbClose(con, st, rs);
		}
	}
	
	/**
	 * PreparedStatement인경우
	 *  select empno, ename,job, sal, hiredate from emp where sal > '2000'
	 * */
	public static void preparedStatementTest(String param) {
		Connection con = null;
		PreparedStatement ps= null;
		ResultSet rs = null;
		String sql="select empno, ename,job, sal, hiredate from emp where sal > ? order by sal";
		try {
			con = DbManager.getConnection();
			ps = con.prepareStatement(sql);
			//?의 값 설정 필요
			ps.setString(1, param);
			
			rs = ps.executeQuery();
			while(rs.next()) {
				Emp emp =  new Emp(rs.getInt(1), rs.getString(2), rs.getInt(4), rs.getString(5));
				
				System.out.println(emp);//emp.toString()
			}
			
		}catch (SQLException e) {
			e.printStackTrace();
		}finally {
			DbManager.dbClose(con, ps, rs);
		}
	}

	public static void main(String[] args) {
		System.out.println("--1. Statement인경우-------------- ");
//		statementTest("2000"); // 5000 or 1 =1
//		statementTest("5000 or 1 =1");
		
		System.out.println("\n--2. PreparedStatement인경우 ------------");
		preparedStatementTest("2000"); // 5000 or 1 = 1
		//SQLInjection을 방어할 수 있음
		preparedStatementTest("2000 or 1 =1");

	}

}

 

저작자표시 비영리 변경금지 (새창열림)

'Dev > DB' 카테고리의 다른 글

[JDBC] SELECT 전체조회 | 번호로 조회 / DELETE로 삭제해보기  (0) 2026.03.09
JDBC(Java Database Connectivity) API실습  (0) 2026.03.09
데이터베이스 모델링  (1) 2026.03.06
MySQL) SUBQUERY 예제  (0) 2026.03.06
MySQL) JOIN 예제  (0) 2026.03.06

관련글

티스토리툴바