JDBI如何在防止SQL注入的同时动态创建WHERE子句?
我想动态过滤JDBI查询。
参数列表是通过REST从UI传递的,例如
http://localhost/things?foo=bar&baz=tazhttp://localhost/things?foo=buz
这是(笨拙地)构建(Jersey @Context UriInfo :: getQueryParameters->
StringBuilder)的,类似于以下内容:
WHERE foo=bar AND baz=taz并传递给JDBI,它看起来像这样:
@UseStringTemplate3StatementLocatorpublic interface ThingDAO {
@SqlQuery("SELECT * FROM things <where>)
List<Thing> findThingsWhere(@Define("where") String where);
}
据我了解,当前的实现容易受到SQL注入的攻击。我显然可以清除列名,但不能清除值。1个
必须有一种更优雅且SQL注入证明的方法来执行此操作。
回答:
受让-贝纳德(Jean-Bernard)的启发,我想到了这一点:
public class WhereClause { public HashMap<String, String> queryValues; // [<"foo","bar">, <"baz","taz">]
public String preparedString; // "WHERE foo=:foo AND bar=:baz"
}
通过一个自定义的Binder绑定BindWhereClause:
@BindingAnnotation(BindWhereClause.WhereClauseBinderFactory.class)@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.PARAMETER})
public @interface BindWhereClause {
class WhereClauseBinderFactory implements BinderFactory {
public Binder build(Annotation annotation) {
return new Binder<BindWhereClause, WhereClause>() {
public void bind(SQLStatement q, BindWhereClause bind, WhereClause clause) {
clause.queryValues
.keySet()
.forEach(s -> q.bind(s, clause.queryValues.get(s)));
}
};
}
}
}
和的组合@Define和@Bind:
@UseStringTemplate3StatementLocatorpublic interface ThingDAO {
@SqlQuery("SELECT * FROM things <where>")
List<Thing> findThingsWhere(@Define("where") String where,
@BindWhereClause() WhereClause whereClause);
}
这应该是防注射的。(是吗?)
以上是 JDBI如何在防止SQL注入的同时动态创建WHERE子句? 的全部内容, 来源链接: utcz.com/qa/402325.html
