通过jdbc更改用户密码.包含问号的通行证存在问题 [英] Alter user password via jdbc. Problems with passes containing question marks

问题描述

当密码包含问号char时，我无法更改用户密码.到目前为止，我在使用其他任何char时都没有遇到此问题，这似乎是问号char所特有的.

I have a problem with altering a users password when the password contains a question mark char. I do not encounter this problem with any other char so far, it seems specific to the question mark char.

如果我使用以下sql更改sqlplus中的用户密码:
Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
然后它成功更改了通行证，我可以使用新通行证"NewPassword?"登录.

If i alter a users password in sqlplus using the following sql:
Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
Then it changes the pass successfully and I can login using the new pass 'NewPassword?'.

但是，如果我通过jdbc执行相同的SQL:
final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
然后，我无法使用通行证"NewPassword?"登录.

However if I execute the same SQL via jdbc:
final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
I then cannot log in using the pass 'NewPassword?'.

在通过sqlplus和jdbc输入密码时，检查密码的哈希码表明它们是不同的. 以某种方式，当我在jdbc中运行该语句时，它输入的不是"NewPassword?".

Checking the hashcodes for the password when entered via sqlplus and jdbc show that they are different. Somehow when I run the statement in jdbc it is entering something other than 'NewPassword?'.

以下密码似乎没有任何问题: NewPassword，NewPassword \，NewPassword".似乎只是引起问题的问号.
调试显示，问号的代码点(dec)为63，因此看起来好像不是在中途更改.

I don't seem to have any problems with the following passwords: NewPassword, NewPassword\, NewPassword'. It just seems to be the question mark that is causing problems.
Debugging shows the code point (dec) is 63 for the question mark so it doesn't look like its being changed midway.

有人知道造成这种现象的原因吗? 目前，我很茫然，我正在考虑防止带问号的通行证暂时绕过这个问题.

Does anyone have any idea what could be causing this behaviour? I'm at a loss at the moment, I'm considering preventing passes with question marks to bypass this problem for now.

推荐答案

要使用JDBC更改Oracle用户的密码，您需要做两件事:

To use JDBC to change the password of an Oracle user you need to do two things:

• 直接在SQL字符串中输入密码(不能使用绑定参数)，
• 禁用转义处理.

您不能使用绑定变量，因为用户名和密码不会作为单引号字符串发送到数据库.

You can't use bind variables because the username and password are not sent to the database as single-quoted strings.

SQL字符串中的?被用作绑定变量占位符，因此，Oracle JDBC有时会损坏SQL字符串.在语句上禁用转义处理可阻止这种情况的发生.试试:

The ? in the SQL string is being taken as a bind variable placeholder, and because of this the SQL string is getting mangled at some point by Oracle JDBC. Disabling escape processing on the statement stops this from happening. Try:

Statement s = conn.createStatement();
s.setEscapeProcessing(false);
s.executeUpdate("ALTER user Stephen identified by \"newPassword?\" replace \"oldPassword\"");

如果以编程方式设置密码，则代码还应确保新密码和旧密码不包含任何"字符，以避免SQL注入.

If you are setting the password programmatically, your code should also ensure that the new and old passwords do not contain any " characters, to avoid SQL injection.

这篇关于通过jdbc更改用户密码.包含问号的通行证存在问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！