2017-04-02 00:29
@JFinal
就是真实环境,记录都查出来了~,现在是可以用drud的WallFilter实现防注入,只是想SQL Template层面能否实现,如mybatis的
<select id="selectPostIn" resultType="domain.blog.Post">
SELECT *
FROM POST P
WHERE ID in
<foreach item="item" index="index" collection="list"
open="(" separator="," close=")">
#{item}
</foreach>
</select>
它首先生成 select * from post p where id in(?,?,..) 再使用 preparestatement设置list参数所以它没有注入的问题
2017-04-01 23:42
@JFinal 但在没有使用Druid的情况,SQL Template拼装 in 条件时会有驻入问题,因为是拼装,如果 in 字段为字符类型
那么http://localhost:8080/test5?id='0') or 1=1 or bigId in(1&id=3
拼装的SQL如下:
Sql: select vcPassword "密码",vcAccount "账号" from d_user where bigId in('0') or 1=1 or bigId in(1,3)
JFinal action report -------- 2017-04-01 23:38:23 ------------------------------
Url : GET /test5
Controller : web.controller.Index.(Index.java:1)
Method : test5
Parameter : id[]={'0') or 1=1 or bigId in(1,3}
--------------------------------------------------------------------------------
2017-04-01 23:10
自己简单扩展一下支持maven开发环境,如下:
public class Mixeds {
public final static String DEV_PART = "target/classes/";
public final static String TEST_PART = "target/test-classes/";
/**
* 获取 classpath, 兼容 maven 开发环境
*
* @return classpath
*/
public static String getRootClassPath() {
String path = getBase();
if (path.endsWith(TEST_PART)) {
path = path.replace(TEST_PART, DEV_PART);
} else if (!path.endsWith("classes/") && new File(path + "target").exists()) {
path = path + DEV_PART;
}
return new File(path).getAbsolutePath() + File.separator;
}
/**
* 获取相对 classpath 的路径
*
* @param path 相对 classpath 的路径
* @return
*/
public static String getPath(String path) {
return new File(getRootClassPath() + path).getAbsolutePath() + File.separator;
}
/**
* 启动目录 或 Mixeds 类路径
*
* @return 启动目录 或 Mixeds 类路径
*/
private static String getBase() {
URL base = Mixeds.class.getResource("/");
if (base == null) {
return new File("").toURI().getPath();
} else {
return base.getPath();
}
}
}
2017-04-01 01:46
@JFinal
--------------------------------------------------------------------------------
Sql:
select * from d_user where bigId in(12,1)
JFinal action report -------- 2017-04-01 00:49:09 ------------------------------
Url : GET /test5
Controller : web.controller.Index.(Index.java:1)
Method : test5
Parameter : id[]={12,1}
--------------------------------------------------------------------------------
Sql:
select * from d_user where bigId in('12',1)
JFinal action report -------- 2017-04-01 00:49:31 ------------------------------
Url : GET /test5
Controller : web.controller.Index.(Index.java:1)
Method : test5
Parameter : id[]={'12',1}
--------------------------------------------------------------------------------
像楼主这样拼装SQL会有注入漏洞吧!!能否做到完全的prepareStatement呢?
