如何安全地将参数注入字符串DB查询java?

时间:2016-11-01 17:18:58

标签: java database google-bigquery sql-injection

我有这个bigQuery示例代码:

List<TableRow> rows =
                executeQuery(
                        "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
                                + "FROM [publicdata:samples.shakespeare]",
                        bigquery,
                        PROJECT_ID);

如果我想安全地将国家注入该字符串

我该怎么做?

我想避免sql注入的风险,这是有风险的:

public void foo(String countryParam) {
    List<TableRow> rows =
                    executeQuery(
                            "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
                                    + "FROM [publicdata:samples.shakespeare]",
                            bigquery,
                            PROJECT_ID);
}

更新

无法找到Elliott Brossard建议的明显例子:

public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
    QueryParameter param = new QueryParameter();
    param.setName("country");
    param.setParameterValue(new QueryParameterValue().setValue("USA"));
    param.setParameterType(new QueryParameterType().setType("string"));

    List<QueryParameter> params =  new ArrayList<>();
    params.add(param);

    JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
    jobConfigurationQuery.setQueryParameters(params);

    jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
                                    + "FROM [publicdata:samples.shakespeare]");



    List<TableRow> rows =
            executeQuery(
                    jobConfigurationQuery.toString(),
                    bigquery,
                    PROJECT_ID);

    printResults(rows);

    return null;
}

1 个答案:

答案 0 :(得分:1)

查看jobs.query reference下的queryParameters。对于Java API,它们被记录为JobConfigurationQuery的一部分。请注意,查询参数仅可使用standard SQL

相关问题
最新问题