【发布时间】:2021-08-13 05:31:54
【问题描述】:
我有多个 HQL 语句易受 SQL 注入示例的影响:
public List<Person> SearchList(String userName, String firstName, String lastName, String email) Exception {
List<Person> personList = new ArrayList<>();
String hql = " FROM **.***.***.entity.Person P WHERE ";
boolean buName = false;
boolean bfName = false;
if (StringUtils.isNotEmpty(userName)){
hql = hql + "lower(P.userName) like :userName ";
buName = true;
}
if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)){
if(buName){
hql = hql + " OR ";
}
hql = hql + "(lower(P.firstName) like :firstName AND lower(P.lastName) like :lastName) ";
bfName = true;
}
if (StringUtils.isNotEmpty(internetAddr)){
if(buName || bfName){
hql = hql + " OR ";
}
hql = hql + "lower(P.email) = :email";
}
try {
Query query = getCurrentSession().createQuery(hql);
if (StringUtils.isNotEmpty(userName)) {
query.setParameter("userName", '%'+userName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
query.setParameter("firstName", '%'+firstName.toLowerCase()+'%');
query.setParameter("lastName", '%'+lastName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(email)) {
query.setParameter("email", email.toLowerCase());
}
personList = query.list();
} catch(Exception e){
throw new Exception(e.getMessage());
}
return personList;
}
这里我避免在查询"'%" + userName + "%'" 中连接以避免 SQL 注入漏洞,现在我看到与
Named parameters not bound: lastname
这是基于使用 firstname 的搜索而发生的。我怎样才能避免这种情况?
【问题讨论】:
-
在 JDBC 中使用和设置参数可以避免 SQL 注入攻击。当有人可以将东西注入实际的 SQL 语句本身时,就会发生 SQL 注入攻击。
标签: java sql hibernate hql createquery