本机SQL查询-SQL注入攻击
[英]Native sql query- SQL Injection Attack
问题描述
I'm working with JPA. 
我正在与JPA合作。 How could my application be SQL injection safe if I'm using a native sql query (not entity query)? 如果我使用本机sql查询(而非实体查询),我的应用程序如何能保证SQL注入安全? I need to build the native sql query with the data submitted by a user from a html form. 我需要使用用户从html表单提交的数据来构建本机sql查询。
If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user. 如果在本机sql中使用参数,则可以避免SQL注入攻击,但是我的问题是我无法确定用户正在提交多少个数据字段。
1 个解决方案
解决方案1
4 已采纳 2014-09-03 13:30:45
You should use positional parameters binding: 您应该使用位置参数绑定:
String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");
Please note that you should not use named parameters binding ( :empName ) in your query as JPA Spec says 请注意,您不应像JPA Spec所述在查询中使用命名参数绑定( :empName )
Only positional parameter binding may be portably used for native queries.
This should secure you from SQL Injection attacks. 这样可以使您免受SQL Injection攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.