druid 普通的查询语句涉及到SQL注入的问题
添加WallFilter后,运行报SQL注入。
报错的代码如下:
public List<CourseResearch> findByCourseCode(String courseCode){
String sqlClause = "SELECT * FROM courseresearch WHERE researchcoursecode=?";
return CourseResearch.dao.find(sqlClause, courseCode);
}java.sql.SQLException: sql injection violation : SELECT * FROM courseresearch WHERE researchcoursecode=? ...... ...... com.alibaba.druid.sql.parser.ParserException: TODO : EQ WHERE researchcoursecode ..... 一句简单的SQL怎么就会出现SQL注入呢,请大神们给解决下,谢谢!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(14)
形式是这样的 Insert into Table2(field1,field2,...) select value1,value2,... from Table1
中文问号?
回复
这我就不清楚了,请仔细参照Druid关于防止注入的说明
为什么没用系统函数sys_guid(),就不会出现SQL注入呢?
谢谢你们耐心的回答。。。好的,请问下有关于Druid防注入的参考资料或链接吗?请提供一份谢谢
回复
https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter
引用来自“vitoshu”的评论
再次遇到这样的问题
insert into BudgetControl value (id, controlyear, controlorgid, controllock, create_op, budgetattribute) select /*+ connect_by_filtering */ sys_guid() as id, 2015 as controlyear, id as controlorgid, 1 as controllock, '097361' as create_op, 1 as budgetattribute from org where orgisdeleted = '89' START WITH orgprntorgfk = '0100000000' or id = '0100000000' CONNECT BY PRIOR id = orgprntorgfk这段SQL代码也报SQL注入,请帮我检查下,谢谢
找到问题了,不可以带系统函数sys_guid().
再次遇到这样的问题
insert into BudgetControl value (id, controlyear, controlorgid, controllock, create_op, budgetattribute) select /*+ connect_by_filtering */ sys_guid() as id, 2015 as controlyear, id as controlorgid, 1 as controllock, '097361' as create_op, 1 as budgetattribute from org where orgisdeleted = '89' START WITH orgprntorgfk = '0100000000' or id = '0100000000' CONNECT BY PRIOR id = orgprntorgfk这段SQL代码也报SQL注入,请帮我检查下,谢谢
courseresearch WHERE这两个字符中间是不是用了中文全角空格?
换过了,还是依然报那错
那个问号 貌似不大对 你多换一个
请问下,EQ WHERE 这是什么解析异常,我查看您的WallFilter源代码,没找到具体描述性语句
中文问号?