我正在研究SQL注入修复程序。我修改了我的DAO层以参数化我的标准(Prepared statement)。 在屏幕上,我有一个允许对数据进行排序的网格。我的问题"由xyz"订购后,会有任何SQL注入。 请注意:" xyz"由UI发送。
For Example
Normal : Select employeeNumber, employeeName from employee order by employeeNumber
Injection : Select employeeNumber, employeeName from employee order by employeeNumber;
delete from employee
At the DAO layer I am using Spring, Hibernate
Do I need to handle the ";" while setting dynamic Order By in query.
简而言之:如何为动态Order by子句处理SQL注入。