java spring SQL注入中的@Query注解安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28050710/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is the @Query annotation in spring SQL Injection safe?
提问by Usman Mutawakil
Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?
对于 Spring,传递给 @Query 注释的字符串的参数是否会被视为纯数据,例如,如果您使用 PreparedStatement 类或任何旨在防止 SQL 注入的方法?
final String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";
@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);
Bottom Line:Is the code above susceptible to SQL injection?
底线:上面的代码是否容易受到 SQL 注入的影响?
采纳答案by Alex
It looks like Spring Data's @Queryis just a wrapper around JPA
看起来 Spring Data@Query只是 JPA 的一个包装器
See this SO answer: Are SQL injection attacks possible in JPA?
请参阅此 SO 答案:在 JPA 中是否可能进行 SQL 注入攻击?
回答by AntonBerezin
In the query you use bind variable instead of string concatenation (which would be vulnerable to SQL Injection), so I think your example is save in the respect of vulnerability from SQL Injection.
在查询中,您使用绑定变量而不是字符串连接(这很容易受到 SQL 注入的攻击),所以我认为您的示例在 SQL 注入的漏洞方面有所保留。
