java如何使用参数化查询防止SQL注入攻击Play框架
我继承了一个Play1.2.4应用程序,它刚刚经过安全性审核。似乎有些方法是不安全的,所以我需要将它们更改为使用准备好的语句
所讨论的方法之一是:
public static void surveys(int startIndex, int endIndex, boolean isAscending, String orderBy, String searchField,
String searchText, String filter) {
NdgUser currentUser = NdgUser.find("byUserName", session.get("ndgUser")).first();
NdgUser currentUserAdmin = NdgUser.find("byUserName", currentUser.userAdmin).first();
List<Survey> surveys = null;
String query;
if (filter != null && filter.length() > 0) {
query = getQuery2Filters( "available" , String.valueOf( SurveyStatusConsts.getStatusFlag( filter ) ),
"ndg_user_id", String.valueOf(currentUserAdmin.getId()), false,
searchField, searchText, null, isAscending );//sorting is not needed now
}
else {
query = getQuery( "ndg_user_id" , String.valueOf(currentUserAdmin.getId()), false,
searchField, searchText, null, isAscending );//sorting is not needed now
}
long totalItems = 0;
totalItems = Survey.count( query );
if ( orderBy != null && orderBy.equals( "resultCollection" ) ) {
surveys = Survey.find( query ).fetch();
Collections.sort( surveys, new SurveyNdgResultCollectionComapator() );
if ( !isAscending ) {
Collections.reverse( surveys );
}
int subListEndIndex = surveys.size() <= endIndex ? surveys.size() : endIndex;
surveys = surveys.subList( startIndex, subListEndIndex );
} else {
if (filter != null && filter.length() > 0) {
query = getQuery2Filters( "available", String.valueOf( SurveyStatusConsts.getStatusFlag( filter ) ),
"ndg_user_id", String.valueOf(currentUserAdmin.getId()), false,
searchField, searchText, orderBy, isAscending );
}
else {
query = getQuery( "ndg_user_id", String.valueOf(currentUserAdmin.getId()), false,
searchField, searchText, orderBy, isAscending );
}
surveys = Survey.find( query ).from( startIndex ).fetch( endIndex - startIndex );
}
serializeSurveys(surveys, startIndex, totalItems);
}
它使用另外两个方法来实际构建查询
private static String getQuery(String filterName, String filterValue, boolean isFilterString, String searchField,
String searchText, String orderBy, boolean isAscending ) {
StringBuilder query = new StringBuilder();
String statusQuery = "";
String searchQuery = "";
String sortingQuery = "";
if ( filterName != null && filterName.length() > 0
&& filterValue != null && filterValue.length() > 0 ) {
statusQuery = filterName + "=" + ( isFilterString ? ("'" + filterValue + "'") : filterValue );
}
if ( searchField != null && searchText != null && searchText.length() > 0 ) {
if(searchField.equals("dateSent")) {
searchQuery = "DATE_FORMAT(" + searchField + ", '%d/%m/%Y')" + " like '%" + searchText + "%'";
}
else {
searchQuery = searchField + " like '%" + searchText + "%'";
}
}
if ( orderBy != null && orderBy.length()> 0 ) {
sortingQuery = "order by " + orderBy + ( isAscending ? " asc" : " desc" );
}
query.append( statusQuery )
.append( ( statusQuery.length() > 0 && searchQuery.length() > 0 ) ? " and " : ' ' )
.append( searchQuery )
.append( ' ' )
.append( sortingQuery );
return query.toString();
}
及
private static String getQuery2Filters(String filterName, String filterValue, String filterName2,
String filterValue2, boolean isFilterString, String searchField,
String searchText, String orderBy, boolean isAscending ) {
StringBuilder query = new StringBuilder();
String statusQuery = "";
String searchQuery = "";
String sortingQuery = "";
if ( filterName != null && filterName.length() > 0
&& filterValue != null && filterValue.length() > 0 ) {
statusQuery = filterName + "=" + ( isFilterString ? ("'" + filterValue + "'") : filterValue );
}
if ( filterName2 != null && filterName2.length() > 0
&& filterValue2 != null && filterValue2.length() > 0 ) {
statusQuery += " and " + filterName2 + "="
+ ( isFilterString ? ("'" + filterValue2 + "'") : filterValue2 );
}
if ( searchField != null && searchText != null && searchText.length() > 0 ) {
searchQuery = searchField + " like '%" + searchText + "%'";
}
if ( orderBy != null && orderBy.length()> 0 ) {
sortingQuery = "order by " + orderBy + ( isAscending ? " asc" : " desc" );
}
query.append( statusQuery )
.append( ( statusQuery.length() > 0 && searchQuery.length() > 0 ) ? " and " : ' ' )
.append( searchQuery )
.append( ' ' )
.append( sortingQuery );
return query.toString();
}
我相信我需要将这些辅助方法更改为使用参数的基本字符串连接,但我对如何真正做到这一点有点不知所措。我对Java或Hibernate/JPA都不是很熟悉,所以收到了一些建议
共 (0) 个答案