本机SQL查询-SQL注入攻击 [英] Native sql query- SQL Injection Attack

问题描述

我正在与JPA合作.如果我使用本机sql查询(而非实体查询)，我的应用程序如何能保证SQL注入安全?我需要使用用户从html表单提交的数据来构建本机sql查询.

I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form.

如果我在本机sql中使用参数，则可以避免SQL注入攻击，但是我的问题是我无法确定用户正在提交多少个数据字段.

If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user.

推荐答案

您应该使用位置参数绑定:

You should use positional parameters binding:

String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");

请注意，您不应按照JPA规范所述在查询中使用命名参数绑定(:empName)

Please note that you should not use named parameters binding (:empName) in your query as JPA Spec says

仅位置参数绑定可用于本机查询.

Only positional parameter binding may be portably used for native queries.

这应该可以保护您免受SQL注入攻击.

This should secure you from SQL Injection attacks.

这篇关于本机SQL查询-SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！