java CWE89:SQL命令中使用的特殊元素的不正确中和(“SQL注入”)
我收到以下警告:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') exception at insertCount = aBatchPstmt.executeBatch(); SQL injections can be prevented by using parameterised query
我相信我遵循了这个建议,但我仍然看到了同样的信息。 我该如何解决这个问题
int[] insertCount = null;
if (stmtLogList.size() > 0) {
Connection dbConnection = getDBConnection();
PreparedStatement aBatchPstmt = null;
try {
String anInsertQuery = "INSERT INTO " + getDBName() + ".dbo."
+ "statementGenerationlog (CountryCode,CIFNumber,FileName,ZipFilename,Status,BatchRunDate,logDesc,FileType) values (?,?,?,?,?,?,?,?)";
aBatchPstmt = dbConnection.prepareStatement(anInsertQuery);
for (StatementGenerationLogBean aLogDetails : stmtLogList) {
aBatchPstmt.setString(1, aLogDetails.getCountryCode());
aBatchPstmt.setString(2, aLogDetails.getCifNumber());
aBatchPstmt.setString(3, aLogDetails.getFileName());
aBatchPstmt.setString(4, aLogDetails.getZipFileName());
aBatchPstmt.setInt(5, aLogDetails.getStatus());
aBatchPstmt.setString(6, aLogDetails.getBatchRunDate());
aBatchPstmt.setString(7, aLogDetails.getLogDesc());
aBatchPstmt.setString(8, aLogDetails.getFileType());
aBatchPstmt.addBatch();
}
insertCount = aBatchPstmt.executeBatch();
} finally {
closeDB(dbConnection);
closePreparedStatement(aBatchPstmt);
}
}
return insertCount;
}
共 (0) 个答案