![](/img/trans.png)
[英]Create database from user input with prepared statement to prevent SQL injection
[英]SQL Injection issue for User Input
對於用戶輸入,我使用 @path 變量傳遞值。 當 checkmarx 驗證我的代碼時給出 SQL 注入錯誤。
我曾嘗試添加空檢查並使用正則表達式,但這些都沒有奏效。
@RequestMapping(value = "/findData/{source}/{user}/{schema}/{table}", method = RequestMethod.GET)
public @ResponseBody String findTableData(@PathVariable("source") String source, @PathVariable("user") String user,
@PathVariable("schema") String schema, @PathVariable("table") String table) throws IOException {
FormDataVO dataModel = new FormDataVO();
TableInfoService tableInfoService = new TableInfoServiceImpl();
String fileName="";
if(null!=schema && null!= table){
fileName = (source + "_" + schema).toUpperCase();
List<TableDataVO> tableData = fileService.parseFile(fileName);
for (int i = 0; i < tableData.size(); i++) {
if (tableData.get(i).getTableName().equalsIgnoreCase(table)) {
dataModel = getFormData(source, user);
if (tableData.get(i).getUpdatedStatus().equalsIgnoreCase("false")) {
List<String> Pk_Incr_Size = tableInfoService.getTableData(dataModel, schema, table, false);
if (!Pk_Incr_Size.get(0).equals("#"))
tableData.get(i).setPrimaryKey(Pk_Incr_Size.get(0));
if (!Pk_Incr_Size.get(1).equals("#"))
tableData.get(i).setIncrementalColumn(Pk_Incr_Size.get(1));
if (Pk_Incr_Size.get(2).length() > 0)
tableData.get(i).setTableSize(Pk_Incr_Size.get(2));
tableData.get(i).setUpdatedStatus("true");
break;
} else {
List<String> Pk_Incr_Size = tableInfoService.getTableData(dataModel, schema, table, true);
tableData.get(i).setTableSize(Pk_Incr_Size.get(0));
}
}
}
fileService.saveTables(fileName, tableData);
}
return fileService.getTableList().toJSONString();
}
public class TableInfoServiceImpl implements TableInfoService{
@Override
public List<String> getTableData(FormDataVO FormDataVO, String schema,String table, boolean status) throws FileNotFoundException, IOException {
DBQueryDAO dbQueryDAO=new DBQueryDAOImpl();
return dbQueryDAO.getTableData(FormDataVO, schema,table, status,PasswordProcessorService.readPasswordFile(FormDataVO.getPasswordLocation()));
}
@Override
public String getSchemaNames(FormDataVO form) throws FileNotFoundException, IOException {
DBQueryDAO dbQueryDAO=new DBQueryDAOImpl();
return dbQueryDAO.getSchemaList(form, PasswordProcessorService.readPasswordFile(form.getPasswordLocation()));
}
@Override
public List<TableDataVO> getTables(FormDataVO FormDataVO, String owner) throws FileNotFoundException, IOException {
DBQueryDAO dbQueryDAO=new DBQueryDAOImpl();
return dbQueryDAO.getTables(FormDataVO, PasswordProcessorService.readPasswordFile(FormDataVO.getPasswordLocation()),owner);
}
@Override
public List<TableDataVO> refreshTableList(FormDataVO FormDataVO, String lastModified, String owner)
throws FileNotFoundException, IOException {
DBQueryDAO dbQueryDAO=new DBQueryDAOImpl();
return dbQueryDAO.getUpdatedTableData(FormDataVO, lastModified, PasswordProcessorService.readPasswordFile(FormDataVO.getPasswordLocation()),owner);
}
}
這里從表格元素獲取用戶輸入。 然后,該元素的值在沒有經過適當清理或驗證的情況下流經代碼,並最終用於方法 getPK 中的數據庫查詢中。 他可能會啟用 SQL 注入攻擊。 這是我收到的錯誤消息。
嘗試使用Encoder.encodeForSQL ,它是 Checkmarx 明確尋找的消毒劑之一:
fileName = (ESAPI.encoder().encodeForSQL(source) + "_" + ESAPI.encoder().encodeForSQL(schema)).toUpperCase();
在其他用戶輸入中同樣實現
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.