從Hibernate HQL到MySQL的SQL注入刪除/刪除

Question

在Hibenate HQL中，是否可以將表或數據庫作為選擇查詢的嵌套部分刪除？

例如，

select name,email,(delete from Group) from User where 1=1 

要么

select name,email,(drop table Group) from User where 1=1 

或在where子句之后以某種方式：

select name,email from User where 1=1;drop table Group;

在where子句場景中，出現如下錯誤：

org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: ';' [ FROM com.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]; nested exception is org.hibernate.QueryException: unexpected char: ';' [ FROM com.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.hibernate.QueryException: unexpected char: ';' [ FROM com.verecloud.nimbus4.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]
    ... 24 more

要求是在選擇查詢中檢查可能的SQL注入。

Answer 1

SQL注入需要結束一條語句，才能執行一條新語句：

select name,email,(;delete from Group;) from User where 1=1 
select name,email from User where 1=1;drop table Group;

如果使用bind SQL參數 ，則可以防止SQL注入。

如果動態生成SQL SELECT（在運行時選擇列），則應使用JPA Criteria或jOOQ 。