在我的java应用程序中,我使用OPENQUERY在远程链接的MSSQL服务器中执行SQL查询并获取结果。以下是我正在使用的OPENQUERY示例:
SELECT 1 FROM OPENQUERY('LINK_SERVER1', 'SELECT 1 FROM TABLE_ABC');
在我的Java类中,我使用如下的PreparedStatement来执行上面的OPENQUERY,如下所示:
String linkServerName = "LINK_SERVER1";
String remoteQuery = "'SELECT 1 FROM TABLE_ABC'";
String openQuery = "SELECT 1 FROM OPENQUERY(" + linkServerName + ", " + remoteQuery + ")";
PreparedStatment ps = connection.prepareStatement(openQuery);
ps.executeQuery();
上面的代码按预期工作。但问题是它需要SQL注入,而且HP Fortify将其报告为SQL注入漏洞。
我试图将上面的代码更改为在PreparedStatement上使用setString,如下所示。
String linkServerName = "LINK_SERVER1";
String remoteQuery = "'SELECT 1 FROM TABLE_ABC'";
String openQuery = "SELECT 1 FROM OPENQUERY(?, ?)";
PreparedStatment ps = connection.prepareStatement(openQuery);
ps.setString(1, linkServerName);
ps.setString(2, remoteQuery);
ps.executeQuery();
但是上面的代码不能像我期望的那样工作。在运行时,我在调用ps.executeQuery()时遇到异常:
java.sql.SQLException: Incorrect syntax near '@P0'.
我不清楚上面代码的错误。似乎MSSQL jdbc驱动程序不喜欢它,并且在PreparedStatement上调用setString方法没有正确设置参数。
有没有人遇到这个问题并解决了?任何有关解决这个问题的建议都表示赞赏。
java.sql.SQLException: Incorrect syntax near '@P0'.
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:365)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2781)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2224)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:628)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:418)
at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.executeQuery(JtdsPreparedStatement.java:693)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76)
at com.aviseurope.rm.fcst.modules.service.HealthCheckServiceImpl.canConnectToBiSsde(HealthCheckServiceImpl.java:658)