如果我插入引号符号"在codContract参数中,我收到以下错误。
查询数据库时出错。原因:java.sql.SQLSyntaxErrorException: ORA-00972:标识符太长
mappers / exist.xml中可能存在错误。错误可能涉及 com.iv.queryinterface.AssistenzaMapper.getTitlesFromCodContratct内联 设置参数
时发生错误
SQL:
SELECT t.id_title,
c.des_lastname,
c.des_firstname,
to_char(t.dta_raw, 'DD/MM/YYYY') AS DTA_RAW,
DECODE(t.cod_statustitle, '1', 'Raw', '2', 'Stated') AS STATUS_TITLE
FROM Ivf_Policy p,
Ivf_Title t,
Ivg_Client c,
Ivf_Price pr
WHERE Cod_Contract = TEST
AND p.id_policy = t.id_policy
AND t.cod_type_title IN(2, 3, 13)
AND t.cod_statustitle IN(1, 2)
AND t.cod_client = c.cod_client
AND t.id_price = pr.id_price;
原因:java.sql.SQLSyntaxErrorException:ORA-00972:标识符也是如此 长
在这个例子中,我设置了#34; TEST作为codContract参数的值。我的问题是:
这是一个可利用的SQL注入还是误报,只是将sql错误输出到堆栈跟踪中?
答案 0 :(得分:0)
代码易受SQL注入攻击,并且不会转义。所有这些都可以通过使用PreparedStatement来避免。查询字符串不是动态组合的。
现在"TEST是SQL标识符的第一部分,直到结束双引号。
我不想指导读者黑客攻击,但想想像
"'' OR 1=1 "
+ "UNION SELECT u.login, u.password, '', '', '', '' "
+ "FROM users"
+ "\u0000-- ";
可能会揭示数据。
答案 1 :(得分:0)
使用java.sql.PreparedStatement来避免SQL注入。
String query =
"SELECT " +
" t.id_title , " +
" c.des_lastname , " +
" c.des_firstname , " +
" TO_CHAR(t.dta_raw, 'DD/MM/YYYY') AS DTA_RAW, " +
" DECODE(t.cod_statustitle, '1', 'Raw', '2', 'Stated') AS STATUS_TITLE " +
"FROM " +
" Ivf_Policy p, " +
" Ivf_Title t, " +
" Ivg_Client c, " +
" Ivf_Price pr " +
"WHERE " +
"1 = 1 AND " +
" Cod_Contract = ? " +
"AND p.id_policy = t.id_policy " +
"AND t.cod_type_title IN(2, " +
" 3, " +
" 13) " +
"AND t.cod_statustitle IN(1, " +
" 2) " +
"AND t.cod_client = c.cod_client " +
"AND t.id_price = pr.id_price;";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, 'TEST');
ResultSet rs = stmt.executeQuery();
答案 2 :(得分:0)
为避免SQL注入,请不要将参数值直接附加到SQL查询。 改为使用绑定变量。
感谢。