【发布时间】:2017-03-14 21:29:54
【问题描述】:
我有这个 bigQuery 示例代码:
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
如果我想安全地将国家注入该字符串
我该怎么做?
我想避免sql注入的风险,这是有风险的:
public void foo(String countryParam) {
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
}
更新
找不到 Elliott Brossard 建议的明确示例:
public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
QueryParameter param = new QueryParameter();
param.setName("country");
param.setParameterValue(new QueryParameterValue().setValue("USA"));
param.setParameterType(new QueryParameterType().setType("string"));
List<QueryParameter> params = new ArrayList<>();
params.add(param);
JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
jobConfigurationQuery.setQueryParameters(params);
jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]");
List<TableRow> rows =
executeQuery(
jobConfigurationQuery.toString(),
bigquery,
PROJECT_ID);
printResults(rows);
return null;
}
【问题讨论】:
-
在您的示例中,您需要调用
jobConfigurationQuery.setUseLegacySql(false);来启用标准 SQL。要测试查询参数在查询中是否可用,请尝试执行jobConfigurationQuery.setQuery("SELECT @country AS country;");。
标签: java database google-bigquery sql-injection