的EclipseLink-漏洞?简单的本机SQL查询异常

时间:2015-09-17 09:54:16

标签: eclipselink

我无法使用EclipseLink执行以下查询:

String query = "insert into A_TEST (TEST_NAME) values ('Ain''t it cool? It''s cool, or?')";


    EntityManagerFactory emf = Persistence.createEntityManagerFactory("jdbc-unit");
    EntityManager em = null;

    try {
        em = emf.createEntityManager();
        em.getTransaction().begin();

        Query q = em.createNativeQuery(query);
        //q.setHint(QueryHints.BIND_PARAMETERS, HintValues.FALSE);
        q.executeUpdate();

        em.getTransaction().commit();

    } catch (Exception ex) {
        ex.printStackTrace();
    } finally {
        try {
            if (em != null) {
                if (em.getTransaction().isActive()) 
                    em.getTransaction().rollback();
                em.close();
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

堆栈跟踪:

javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: Ungültiger Spaltenindex
Error Code: 17003
Call: insert into A_TEST (TEST_NAME) values ('Ain''t it cool? It''s cool, or?)
bind => [1 parameter bound]
Query: DataModifyQuery(sql="insert into A_TEST (TEST_NAME) values ('Ain''t it cool? It''s cool, or?)")
at org.eclipse.persistence.internal.jpa.QueryImpl.executeUpdate(QueryImpl.java:308)
at persistence.test.ErrorTest.main(ErrorTest.java:43)

我发现问题出在问号和引号上。如果我删除它是有效的。这些字符的顺序似乎也很重要。

有人知道这个问题吗?

PS:行" q.setHint(QueryHints.BIND_PARAMETERS,HintValues.FALSE);"另有例外。

我已经解决了它:q.setHint(QueryHints.BIND_PARAMETERS,HintValues.TRUE);适合我

1 个答案:

答案 0 :(得分:2)

我会继续查询参数来为我做适当的转义。检查EclipseLink help pages。如果此类查询的一部分是用户输入,则将整个SQL作为String传递也可能导致安全问题(SQL注入)。

query = "insert into A_TEST (TEST_NAME) values (?)";
...
query.setParameter(1, "Ain't it cool? It's cool, or?");