#include <iostream>
|
#include <mysql_driver.h>
|
#include <mysql_connection.h>
|
#include <cppconn/statement.h>
|
#include <cppconn/prepared_statement.h>
|
#include <cppconn/resultset.h>
|
#include <string>
|
#include <regex>
|
|
class DatabaseUtils {
|
public:
|
// 连接数据库
|
static sql::Connection* connect() {
|
try {
|
sql::mysql::MySQL_Driver* driver = sql::mysql::get_mysql_driver_instance();
|
sql::Connection* con = driver->connect("tcp://127.0.0.1:3306", "mayi", "123456");
|
con->setSchema("your_database");
|
return con;
|
} catch (sql::SQLException& e) {
|
std::cerr << "数据库连接错误: " << e.what() << std::endl;
|
return nullptr;
|
}
|
}
|
|
// 检查SQL语句是否存在潜在注入风险(简单正则校验)
|
static bool isSafeSQL(const std::string& sql) {
|
// 简单的正则表达式,防止常见的注入关键词
|
std::regex injectionRegex("(drop|delete|update|insert|select\\s+\\*\\s+from)", std::regex_constants::icase);
|
return!std::regex_search(sql, injectionRegex);
|
}
|
|
// 使用参数化查询执行SQL语句
|
static sql::ResultSet* executeSafeQuery(sql::Connection* con, const std::string& sql, const std::vector<std::string>& params) {
|
try {
|
sql::PreparedStatement* pstmt = con->prepareStatement(sql);
|
for (size_t i = 0; i < params.size(); ++i) {
|
pstmt->setString(i + 1, params[i]);
|
}
|
return pstmt->executeQuery();
|
} catch (sql::SQLException& e) {
|
std::cerr << "查询执行错误: " << e.what() << std::endl;
|
return nullptr;
|
}
|
}
|
};
|
|
int main() {
|
sql::Connection* con = DatabaseUtils::connect();
|
if (con) {
|
std::string sql = "SELECT * FROM your_table WHERE column_name =?";
|
std::vector<std::string> params = {"test_value"};
|
if (DatabaseUtils::isSafeSQL(sql)) {
|
sql::ResultSet* res = DatabaseUtils::executeSafeQuery(con, sql, params);
|
if (res) {
|
while (res->next()) {
|
// 处理结果
|
std::cout << res->getString(1) << std::endl;
|
}
|
delete res;
|
}
|
} else {
|
std::cerr << "潜在的SQL注入风险" << std::endl;
|
}
|
delete con;
|
}
|
return 0;
|
}
|
