如何安全注入参数到字符串DB查询java? [英] How to safely inject parameter into string DB query java?
本文介绍了如何安全注入参数到字符串DB查询java?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有这个bigQuery范例程式码:
I have this bigQuery example code:
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
如果我想将国家安全注入该字符串
If i want to safely inject the country to that string
我如何做到这一点?
我想避免sql注入的风险,这是有风险的:
I want to avoid the risk of sql injection and this is risky:
public void foo(String countryParam) {
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
}
更新
找不到Elliott Brossard建议的清楚例子:
couldn't find a clear example to Elliott Brossard suggestion:
public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
QueryParameter param = new QueryParameter();
param.setName("country");
param.setParameterValue(new QueryParameterValue().setValue("USA"));
param.setParameterType(new QueryParameterType().setType("string"));
List<QueryParameter> params = new ArrayList<>();
params.add(param);
JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
jobConfigurationQuery.setQueryParameters(params);
jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]");
List<TableRow> rows =
executeQuery(
jobConfigurationQuery.toString(),
bigquery,
PROJECT_ID);
printResults(rows);
return null;
}
推荐答案
查看 queryParameters 下的 jobs.query 参考。对于Java API,它们作为 JobConfigurationQuery 。请注意,查询参数只能使用标准SQL 。
这篇关于如何安全注入参数到字符串DB查询java?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
