stackoom
  简体   繁体   中英

Java jdbc - how to execute a statement strictly read only

 原文  2015-10-19 12:54:24       java/ sqlite/ jdbc

Question

My server app uses prepared statements in almost all cases, to prevent sql injection. Nevertheless a possibility is needed providing special users executing raw SELECT queries.

How can I more or less securely make sure the query does not modify the database? Is it possible to execute a query read only, or is there any other 'secure' way making sure noone tries any sql injection? (Using sqlite3, so I cannot use any privileges)

Thanks a lot!

3 answers

solution1
 4 ACCPTED  2015-10-19 13:21:36

JDBC supports read-only connections by calling Connection.setReadOnly(true) . However the javadoc says:

Puts this connection in read-only mode as a hint to the driver to enable database optimizations .

Some JDBC drivers will enforce the read-only request, others will use it for optimizations only, or simply ignore it. I don't know how sqlite3 implements it. You'll have to test that.

Otherwise, you could do a "simple" parse of the SQL statement, to ensure that it's a single valid SELECT statement.

solution2
 2  2015-10-19 13:06:23

I'm not aware of a general JBDC configuration which specifies readonly. But Sqlite does have special database open modes and this can be leveraged in your connection to your sqlite database. Eg. 

Properties config = new Properties();
config.setProperty("open_mode", "1");  //1 == readonly
Connection conn = DriverManager.getConnection("jdbc:sqlite:sample.db", config);

Credit: https://stackoverflow.com/a/18092761/62344

FWIW All supported open modes can be seen here .

solution3
 2  2015-10-19 13:29:19

If you use some sort of factory class to create or return connections to the database, you can individually set connections to be read-only: 

public Connection getReadOnlyConnection() {
    // Alternatively this could come from a connection pool:
    final Connection conn = DriverManager.getConnection("jdbc:sqlite:sample.db");
    conn.setReadOnly(true);
    return conn;
}

If you're using a connection pool, then you may also want to provide a method for getting writeable connections too: 

public Connection getWriteableConnection() {
     final Connection conn = getPooledConnection(); // I'm assuming this method exists!
     conn.setReadOnly(false);
     return conn;
}

You could also provide just a single getConnection(boolean readOnly) method and simply pass the parameter through to the setReadOnly(boolean) call. I prefer the separate methods personally, as it makes your intent much clearer.

Alternatively, some databases like Oracle provide a read only mode that can be enabled. SQLite doesn't provide one, but you can emulate it by simply setting the actual database files (including directories) to read only on the filesystem itself.

Another way of doing it is as follows (credit goes to deadlock for the below code ): 

public Connection getReadOnlyConnection() {
    SQLiteConfig config = new SQLiteConfig();
    config.setReadOnly(true);
    Connection conn = DriverManager.getConnection("jdbc:sqlite:sample.db",
            config.toProperties());
 }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to execute this Oracle statement on JDBC How to read sqlite text column using jdbc prepared statement in java? Statement.execute(SQL) JDBC java How to execute a statement within a recursive method only once in Java? Java: How to parse a date strictly? How to read in strictly readable characters with input stream How to implement a strictly matching markdown with regex in java? how to strictly find substring of string in java? How to execute a procedure with JDBC how to execute hql with jdbc in java ,when metastore is mysql
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM