62,615
社区成员
发帖
与我相关
我的任务
分享prepared statement的 SQL injection问题
用findbugs检查如下代码,会报错误:
SQL:A prepared statement is generated from a nonconstant String
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
StringBuffer sql = new StringBuffer(128);
sql.append("insert into xxx(aaa)";
sql.append(" values(?)";
String istSql = sql.toString();//mod by szw
String sql1 = "insert into xxx(aaa) values(?)";
pstmt = conn.prepareStatement(sql.toString());//findbugs报错
修改1: pstmt = conn.prepareStatement(istSql);//findbugs还是报错
修改2: pstmt = conn.prepareStatement(sql1);//findbugs不会报错
请问这是为啥呢
SQL:A prepared statement is generated from a nonconstant String
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
StringBuffer sql = new StringBuffer(128);
sql.append("insert into xxx(aaa)";
sql.append(" values(?)";
String istSql = sql.toString();//mod by szw
String sql1 = "insert into xxx(aaa) values(?)";
pstmt = conn.prepareStatement(sql.toString());//findbugs报错
修改1: pstmt = conn.prepareStatement(istSql);//findbugs还是报错
修改2: pstmt = conn.prepareStatement(sql1);//findbugs不会报错
请问这是为啥呢
...全文
请发表友善的回复…
发表回复
lshy168 2009-01-06
- 打赏
- 举报
不知道楼主全部代码是怎样写的,我在我机器上试过了,我用MSSql,是可以的。
LazyCat2222 2009-01-06
- 打赏
- 举报
不是就是String类型吗? 怎么还要toString啊?
junying2yu 2009-01-06
- 打赏
- 举报
up up
szws 2009-01-06
- 打赏
- 举报
不好意思,括号是我实例程序漏了
程序执行都没有问题的
只是findbugs检测程序存在隐患。想知道如何修改,findbugs才认为代码不存在隐患?
程序执行都没有问题的
只是findbugs检测程序存在隐患。想知道如何修改,findbugs才认为代码不存在隐患?
lshy168 2009-01-06
- 打赏
- 举报
掉了括号;
StringBuffer sql = new StringBuffer(128);
sql.append("insert into xxx(aaa)");
sql.append(" values(?)");
String istSql = sql.toString();//mod by szw
String sql1 = "insert into xxx(aaa) values(?)";
pstmt = conn.prepareStatement(sql.toString());//findbugs报错
StringBuffer sql = new StringBuffer(128);
sql.append("insert into xxx(aaa)");
sql.append(" values(?)");
String istSql = sql.toString();//mod by szw
String sql1 = "insert into xxx(aaa) values(?)";
pstmt = conn.prepareStatement(sql.toString());//findbugs报错
海诗美妆 2009-01-06
- 打赏
- 举报
[Quote=引用楼主 szws 的帖子:]
用findbugs检查如下代码,会报错误:
SQL:A prepared statement is generated from a nonconstant String
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
StringBuffer sql = new StringBuffer(128);
sql.app…
[/Quote]
findbug报错是因为sql作为一个变量被执行,有发生SQL溢出漏洞的危险。
把SQL语句的字符串用final修饰,改成定量看看。
用findbugs检查如下代码,会报错误:
SQL:A prepared statement is generated from a nonconstant String
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
StringBuffer sql = new StringBuffer(128);
sql.app…
[/Quote]
findbug报错是因为sql作为一个变量被执行,有发生SQL溢出漏洞的危险。
把SQL语句的字符串用final修饰,改成定量看看。
ZiSheng 2009-01-06
- 打赏
- 举报
[Quote=引用 2 楼 szws 的回复:]
不好意思,括号是我实例程序漏了
程序执行都没有问题的
只是findbugs检测程序存在隐患。想知道如何修改,findbugs才认为代码不存在隐患?
[/Quote]
findBugs没有用过
不好意思,括号是我实例程序漏了
程序执行都没有问题的
只是findbugs检测程序存在隐患。想知道如何修改,findbugs才认为代码不存在隐患?
[/Quote]
findBugs没有用过
