Spring(MVC)SQL注入避免? [英] Spring (MVC) SQL injection avoidance?
问题描述
我想知道Spring MVC如何处理SQL注入(以及其他安全性问题:XSS,代码[javascript]注入等).我主要是在谈论转义添加到数据库等的值.我似乎找不到任何答案,因为每次我搜索涉及依赖项注入的spring sql注入结果时都会出现.
I am wondering how Spring MVC handles SQL injections (and other security issues: XSS, code [javascript] injection, etc). I'm talking mostly about escaping the values that are added to DBs and such. I can't seem to find any answer because every time I search for spring sql injection results that involve dependency injection arise.
我的流程如下:从客户端浏览器发出一个包含JSON和一些查询参数的请求(不是SQL语句,那太愚蠢了-无法在JS中形成SQL查询).当请求到达Controller中正确注释的方法时,使用Jackson将请求通过@RequestBody映射到请求对象".现在,该对象被发送到DAO,在DAO中使用JDBC模板查询数据库(并使用RowMapper映射结果).
My flow is as follows: from the client browser I make a request consisting of an JSON with some query parameters (not the SQL statement, that would be too stupid - to form the SQL query in JS). When the request reaches the properly annotated method in the Controller, the request is mapped via @RequestBody using Jackson to an "request object". Now this object is sent to the DAO, where using JDBC Template I query the db (and using RowMapper I map the results).
在DAO中,我有类似的东西:
In the DAO I have something like:
public int countAll(RequestObject request) {
String sql = "SELECT count(*) FROM employees WHERE name = '" + request.getName() + "'";
JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
int count = jdbcTemplate.queryForInt(sql);
return count;
}
现在这种方法对SQL注入安全吗? 通过Spring MVC流过的非基于JDBCTemplate的查询是否安全?
Now is this approach safe from SQL injection? Are non-JDBCTemplate -based queries safe given that are flowing through Spring MVC?
我们可以对此进行一些讨论吗?
Could we have a little discussion on this?
推荐答案
只要您通过级联构建查询,就很容易受到注入攻击
Anytime you build a query by concatenation you are vunerlable to injection attacks
正确传递参数:
jdbcTemplate.queryForInt(sql, args, argTypes)
例如:
JdbcTemplate insert = new JdbcTemplate(dataSource);
insert.update("INSERT INTO PERSON (FIRSTNAME, LASTNAME) VALUES(?,?)",
new Object[] { firstName, lastName });
这篇关于Spring(MVC)SQL注入避免?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!