如何解决通过替换子字符串形成查询部分时的SQL注入问题？-解网

问：

在我的 Java 类中，我有这样的方法。当我运行静态代码分析时，我在 sql.replaceAll 行中获得 sql 注入。值如下所示。如何解决此问题？在我看来，我们不能在这里使用 PreparedStatement。studentFilterschoolName = 'ABCD' AND state = 'TEXAS'

private Long getStudentCount(String studentFilter) {
private final NamedParameterJdbcTemplate template; //This is declared at class level
private static final String sql = "select count(name) from student 
                                   wheree marks > 90 AND
                                   dateOfBirth = :dob AND
                                   ( --STUDENT_CONFIG--)";
MapSqlParameterSource sqlParams= new MapSqlParameterSource ();
sqlParams.addValue("dob", "19900101");

return template.queryForObject(sql.replaceAll("--STUDENT_CONFIG--", studentFilter, sqlParams, Long.class)

}

java sql 注入

interface Condition {
    String propertyName();  // Could be checked against explicit list of allowed names
    String operation();     // Could be checked against explicit list of operations
    String expectedValue(); // Could be injected through placeholder
}

List<Condition> studentFilter = ...

for (int i = 0; i < studentFilter.size(); i++) {
    Condition c = studentFilter.get(i);
    sql += " AND " + c.propertyName() + " " + c.operation() + " :placeHolder" + i;
    sqlParams.addValue("placeHolder" + i, c.expectedValue());
}

上一个：我可以使用 if 语句来防止 SQL 注入吗？

下一个：如何在 Stata 的 SQL 注入中匹配字符串？

如何解决通过替换子字符串形成查询部分时的SQL注入问题？

How to solve SQL injection issue when the part of query is formed by replacing substring?

评论

评论

评论