Question

我的查询为：

def selectQuery="select ins"
        def fromQuery = " from InstitutionStudent ins"
        def whereQuery = " where ins.institution=:inst"
        def compareQuery = [inst:inst]

和其他查询：

if(params.pAddress!=""){
   whereQuery += " and ins.address='" + address + "'"

   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address='"+address+"'"
    ,[inst:inst])
 }

导致高级搜索查询

def allQuery = selectQuery+fromQuery+whereQuery       
def finalQuery = InstitutionStudent.executeQuery
             (allQuery.toString(),compareQuery)

但是有可能存在注入攻击，以防止如何将参数化查询传递给此查询？

Answer 1

您可以使用常用的命名参数：

if(params.pAddress!=""){
   whereQuery += " and ins.address= :address"
   compareQuery.address = address
   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address=:address"
    ,[inst:inst, address:address])
 }

防止动态查询grails中的sql注入攻击

1 个答案: