GAE 数据存储和 JDOQL 的安全风险
我刚刚开始开发一个将在谷歌应用程序引擎(GAE)上运行的项目。我正在使用java(wicket)和一些ajax。
我对关系数据库有丰富的经验,通常使用 iBatis 之类的数据库。当使用 JDO 查看 GAE 数据存储的文档和示例时,我发现他们正在执行以下内容:
String query = "select from " + Employee.class.getName() + " where lastName == 'Smith'";
List<Employee> employees = (List<Employee>) pm.newQuery(query).execute();
有谁知道这个 JDOQL 查询是否会遇到 SQL 注入等安全问题?如果是这样,有什么办法可以补救吗?
I just started working on a project that will run on google app engine (GAE). I'm using java (wicket) with some ajax.
I'm experienced with relational databases and typically use something like iBatis. When going through the docs and examples for the GAE datastore using JDO I see that they're executing stuff like:
String query = "select from " + Employee.class.getName() + " where lastName == 'Smith'";
List<Employee> employees = (List<Employee>) pm.newQuery(query).execute();
Does anyone know if this JDOQL query is subject to security problems like SQL injection? If so, is there any way to remedy this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的,这会受到 sql 注入的影响(在本例中是 JDOQL 注入)。您应该改用参数,如 GAE/J 文档中的示例所示。
Yes, that is subject to sql injection (well, JDOQL injection in this case). You should use parameters instead, as in the examples in the GAE/J documentation.
是的,一般来说它很容易受到注入漏洞的影响。但在文档的示例中,它并不适用 - 类名称由应用程序的作者控制,并且本例中的姓氏是文字字符串。
Yes, in general it's vulnerable to injection vulnerabilities. In the examples in the docs, though, it doesn't apply - the class name is controlled by the author of the app, and the the last name in this case is a literal string.
任何 JDOQL 查询都会转换为等效的基础查询。在 RDBMS 中,它恰好是 SQL。在 GAE/J 中,这是他们的查询 API。这意味着不确定是否存在任何“注入”任何东西。您是应用程序开发人员,您定义查询,因此您可以完全控制这些事情。
Any JDOQL query is translated into the equivalent underlying query. In RDBMS it just happens to be SQL. In GAE/J it is their query API. That means it isn't definite that there is any "injection" of anything. You are the application developer and you define the queries, hence you have full control over such things.