我从SQL表或函数中获取groovy记录。实施例;
String subeKodu = get_sube_kodu_bul(matcher[0][1])
private String get_sube_kodu_bul(String subeAdi) {
def sql = Sql.newInstance("jdbc:jtds:sqlserver://10.xx.xx.xx:1433/DBNAME", "usrname","pass", "net.sourceforge.jtds.jdbc.Driver")
subeAdi = subeAdi.trim()
def row = sql.firstRow("SELECT TOP 1 SUBE_KODU FROM TABLENAME WHERE SUBE_ADI= '${subeAdi}'")
row != null ? (String)row.SUBE_KODU : ''
}
但是我遇到了以下错误;
WARNING: In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there. The expression so far is: SELECT TOP 1 YETKILI FROM TABLENAME WHERE SUBE_ADI = '?'
答案 0 :(得分:4)
Groovy抱怨您的代码可能容易受到SQL injection attack的攻击。</ p>
执行此操作的正确方法是使用JDBC Prepared Statements。在Groovy中,您可以按如下方式执行此操作:
sql.firstRow("SELECT TOP 1 SUBE_KODU FROM TABLENAME WHERE SUBE_ADI= ?", [subeAdi])
有关此问题的更多示例,请参阅the Groovy SQL tutorial并搜索“预准备语句”。
另外,完成后不要忘记调用close()。