Spring JDBC 是否提供针对 SQL 注入攻击的任何保护?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7254534/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Does Spring JDBC provide any protection from SQL injection attacks?
提问by brabster
Spring's JdbcTemplateabstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks?
Spring 的JdbcTemplate抽象提供了很多功能,但它可以以提供免受 SQL 注入攻击的方式使用吗?
For example, like the kind of protection you would get using PreparedStatementwith properly defined parameterization.
例如,就像使用PreparedStatement和正确定义的参数化所获得的保护一样。
回答by Donal Fellows
It most certainly does. This example is straight from the Spring 3.0 docs (but is the same in 2.*):
它肯定会。此示例直接来自 Spring 3.0 文档(但在 2.* 中相同):
String lastName = this.jdbcTemplate.queryForObject(
"select last_name from t_actor where id = ?",
String.class, 1212L);
As you can see, it stronglyfavors prepared statements (which it must be using behind the scenes for you): you specify the parameters with placeholders (?) and supply an array of objects to fill into the parameters. (The last parameter is the type of the expected result, but that's not very relevant for this question.)
如您所见,它强烈支持准备好的语句(它必须在幕后为您使用):您使用占位符 ( ?)指定参数并提供一组对象以填充参数。(最后一个参数是预期结果的类型,但这与这个问题不太相关。)
You can also use a NamedParameterJdbcTemplateand supply the parameters in a Map, which is perhaps less efficient but definitely more mnemonic.
您还可以使用 aNamedParameterJdbcTemplate并在 a 中提供参数Map,这可能效率较低,但绝对更容易记忆。
