oracle 通过 jdbc 更改用户密码。包含问号的通行证问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4518210/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Alter user password via jdbc. Problems with passes containing question marks
提问by Stephen Scott
I have a problem with altering a users password when the password contains a question mark char. I do not encounter this problem with any other char so far, it seems specific to the question mark char.
当密码包含问号字符时,我在更改用户密码时遇到问题。到目前为止,我没有遇到任何其他字符的这个问题,它似乎特定于问号字符。
If i alter a users password in sqlplus using the following sql:Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
Then it changes the pass successfully and I can login using the new pass 'NewPassword?'.
如果我使用以下 sql 在 sqlplus 中更改用户密码:Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
然后它成功更改了通行证,我可以使用新通行证“NewPassword?”登录。
However if I execute the same SQL via jdbc:final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
I then cannot log in using the pass 'NewPassword?'.
但是,如果我通过 jdbc 执行相同的 SQL:
那么我将无法使用“NewPassword?”密码登录。final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
Checking the hashcodes for the password when entered via sqlplus and jdbc show that they are different. Somehow when I run the statement in jdbc it is entering something other than 'NewPassword?'.
通过 sqlplus 和 jdbc 输入时检查密码的哈希码表明它们是不同的。不知何故,当我在 jdbc 中运行该语句时,它输入的不是“NewPassword?”。
I don't seem to have any problems with the following passwords:
NewPassword, NewPassword\, NewPassword'. It just seems to be the question mark that is causing problems.
Debugging shows the code point (dec) is 63 for the question mark so it doesn't look like its being changed midway.
我似乎对以下密码没有任何问题:NewPassword、NewPassword\、NewPassword'。这似乎只是导致问题的问号。
调试显示问号的代码点 (dec) 为 63,因此它看起来没有中途更改。
Does anyone have any idea what could be causing this behaviour? I'm at a loss at the moment, I'm considering preventing passes with question marks to bypass this problem for now.
有谁知道是什么导致了这种行为?我现在不知所措,我正在考虑阻止带有问号的传球来暂时绕过这个问题。
回答by Luke Woodward
To use JDBC to change the password of an Oracle user you need to do two things:
要使用 JDBC 更改 Oracle 用户的密码,您需要做两件事:
- put the password directly in the SQL string (bind parameters cannot be used),
- disable escape processing.
- 将密码直接放在SQL字符串中(不能使用绑定参数),
- 禁用转义处理。
You can't use bind variables because the username and password are not sent to the database as single-quoted strings.
您不能使用绑定变量,因为用户名和密码不会作为单引号字符串发送到数据库。
The ?in the SQL string is being taken as a bind variable placeholder, and because of this the SQL string is getting mangled at some point by Oracle JDBC. Disabling escape processing on the statement stops this from happening. Try:
将?在SQL字符串被视为绑定变量占位符,因为这样的SQL字符串在由Oracle JDBC某些时候得到错位。对语句禁用转义处理会阻止这种情况发生。尝试:
Statement s = conn.createStatement();
s.setEscapeProcessing(false);
s.executeUpdate("ALTER user Stephen identified by \"newPassword?\" replace \"oldPassword\"");
If you are setting the password programmatically, your code should also ensure that the new and old passwords do not contain any "characters, to avoid SQL injection.
如果您以编程方式设置密码,您的代码还应确保新旧密码不包含任何"字符,以避免 SQL 注入。
回答by Cameron Skinner
Try implementing it using a PreparedStatementand see if you get the same problem. Question marks are used in PreparedStatementsas placeholders, so maybe the JDBC driver is getting confused. It shouldn't, but might be worth checking.
尝试使用 a 实现它PreparedStatement,看看是否遇到相同的问题。问号用作PreparedStatements占位符,因此 JDBC 驱动程序可能会感到困惑。它不应该,但可能值得检查。
PreparedStatement p = conn.prepareStatement("ALTER user Stephen identified by ? replace ?");
p.setString(1, "NewPassword?");
p.setString(2, "OldPassword");
p.execute();
If this works then it's probably a bug in the driver.
如果这有效,那么它可能是驱动程序中的错误。
