stackoom
  简体   繁体   中英

javax.persistence.EntityManager SQL INJECTION

 原文  2021-11-17 12:07:42       java/ oracle/ response/ sql-injection

Question

In this method you have seen, I receive data from procedures in oracle database according to pincode or voen.

@Override
public List<BaseClass> getCustomerInfo(String pinCode, String voen) throws SQLException, JsonProcessingException {
    List<BaseClass> customerInfos = new ArrayList<>();
    Query q = em.createNativeQuery("select CUST_INFO_COURT.GET_CUSTOMER_INFO('" + pinCode + "','" + voen + "') from dual");
    List objectArray = q.getResultList();
    for (Object object : objectArray) {
        if (object != null) {
            Clob clob = (Clob) object;
            String arrayJsonData = clob.getSubString(1, (int) clob.length());

            final ObjectMapper objectMapper = new ObjectMapper();

            CustomerInfo[] langs = objectMapper.readValue(arrayJsonData, CustomerInfo[].class);
            List<CustomerInfo> langList = new ArrayList(Arrays.asList(langs));

            for (CustomerInfo customerInfo : langList) {

                customerInfos.add(customerInfo);

            }
            return customerInfos;
        }
    }
    return new ArrayList<>();
}

But there is a problem. The problem is that I can receive data in accordance with the pin code, but when I search as voen, I cannot get the values. When I search according to the pin code, my query works like this.

Hibernate: 
    select
        CUST_INFO_COURT.GET_CUSTOMER_INFO('',
        'null') 
    from
        dual

and data in the output like this: 

[
  {
    "full_name": "",
    "doc_sr": "",
    "doc_id": "",
    "customer_id": ,
    "pin_code": "",
    "voen": "",
    "position": null
  }
]

When I search according to voene, it does the same thing.

Hibernate: 
    select
        CUST_INFO_COURT.GET_CUSTOMER_INFO('null',
        '') 
    from
        dual

and data in the output like this: 

[]

There is a problem that I thought is SQL INJECTION. I'm considering sending parameters that way using the setParameter() method, but I don't know how to apply that to this code.

1 answers

solution1
 2 ACCPTED  2021-11-17 12:11:26

You cans use parameters like this:

 Query q = em.createNativeQuery(
        "select CUST_INFO_COURT.GET_CUSTOMER_INFO(?,?) from dual");
 q.setParameter(1, pinCode);
 q.setParameter(2, voen);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question No qualifying bean of type [javax.persistence.EntityManager] Problem with import javax.persistence.EntityManager; javax.persistence.EntityManager missing a method Is javax.persistence.EntityManager thread safe javax.persistence.EntityManager source code not found Unable to resolve a bean for 'javax.persistence.EntityManager' import javax.persistence.EntityManager error javax.persistence.Entitymanager: remove() method Error when adding an entity to my SQL database when using javax.persistence.EntityManager No unique bean of type [javax.persistence.EntityManager] is defined
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM