java避免使用orderby,使用Order By的准备好的语句来防止SQL注入Java
文章图片
I have a query with where conditions , order by and limit. I am using prepared statements to set the where conditions and limit. Currently i am using string append for order by which causing SQL injection vulnerability.
【java避免使用orderby,使用Order By的准备好的语句来防止SQL注入Java】I cannot use set string to order by like this order by ? ? SQL Order functionality not working if i do like this.
Example query:
SELECT siteid, technology, address, state, status FROM archive LEFT OUTER
JOIN mappings ON siteid = child_site_id order by siteid asc limit ? offset ?
SELECT siteid, technology, address, state, status FROM archive LEFT OUTER
JOIN mappings ON siteid = child_site_id order by siteid asc limit 10 offset 0
Any other way i can do this to avoid SQL injection.
解决方案
Do something like this and concatenate it:
List allowedSortableColumns = Arrays.asList(new String[]{"siteid", "technology", "address"})
if(! allowedSortableColumns.contains(sortByColumn)){
throw new RuntimeException("Cannot sort by: " + sortByColumn);
}
// Continue here and it's safe to concatenate sortByColumn...
You can do sanitization and other stuff, but this should work in your case
推荐阅读
- vue中methods、mounted等的使用方法解析
- java|java springboot邮箱找回密码功能的实现讲解
- Java|Java @Transactional指定回滚条件
- spingboot|java计算机毕业设计基于springboot+vue+elementUI的口腔管理平台管理系统(前后端分离)
- React|<react求和案例>react-redux基本使用与优化——Provider/mapDispatch
- day08-Java面向对象三(代码块/继承/final)
- kubernetes|使用k8e快速部署Kubernetes集群服务
- java|Hessian 序列化、反序列化
- java|幸福里 C 端 iOS 编译优化实践-优化 40% 耗时
- 大数据|抖音 Android 性能优化系列(Java 锁优化)