本机SQL查询-SQL注入攻击 [英] Native sql query- SQL Injection Attack
问题描述
我正在与JPA合作.如果我使用本机sql查询(而非实体查询),我的应用程序如何能保证SQL注入安全?我需要使用用户从html表单提交的数据来构建本机sql查询.
I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form.
如果我在本机sql中使用参数,则可以避免SQL注入攻击,但是我的问题是我无法确定用户正在提交多少个数据字段.
If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user.
推荐答案
您应该使用位置参数绑定:
You should use positional parameters binding:
String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");
请注意,您不应按照JPA规范所述在查询中使用命名参数绑定(:empName
)
Please note that you should not use named parameters binding (:empName
) in your query as JPA Spec says
仅位置参数绑定可用于本机查询.
Only positional parameter binding may be portably used for native queries.
这应该可以保护您免受SQL注入攻击.
This should secure you from SQL Injection attacks.
这篇关于本机SQL查询-SQL注入攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!