帮忙解答下hibernate的有关问题
日期:2014-05-18 浏览次数:20791 次
帮忙解答下hibernate的问题
问题1:
是不是只要sql语句是预编译的就不会被sql注入
问题2:
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?//这是hibernate输出的语句
sql=select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc
Query q=sessionFactory.getCurrentSession().createSQLQuery(sql).addEntity(Equipmentledger.class);
List list=q.list()
可以得到list
但是我试着sql注入
sql=select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc//语句变成这样
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?
我把hibernate输出的语句在plsql上运行都是可以的,注释符号都起作用,但是sql注入的语句在程序中就报错
01:35:06,140 WARN JDBCExceptionReporter:77 - SQL Error: 17003, SQLState: null
01:35:06,140 ERROR JDBCExceptionReporter:78 - 无效的列索引
java.sql.SQLException: 无效的列索引
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:111)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:145)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:207)
oracle.jdbc.driver.OraclePreparedStatement.setIntInternal(OraclePreparedStatement.java:4570)
oracle.jdbc.driver.OraclePreparedStatement.setInt(OraclePreparedStatement.java:4562)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.logicalcobwebs.proxool.ProxyStatement.invoke(ProxyStatement.java:100)
org.logicalcobwebs.proxool.ProxyStatement.intercept(ProxyStatement.java:57)
oracle.jdbc.OracleStatement$$EnhancerByProxool$$90ca80fe.setInt(<generated>)
org.hibernate.loader.Loader.bindLimitParameters(Loader.java:1646)
org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1566)
org.hibernate.loader.Loader.doQuery(Loader.java:673)
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
org.hibernate.loader.Loader.doList(Loader.java:2220)
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2104)
org.hibernate.loader.Loader.list(Loader.java:2099)
org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:289)
org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1695)
org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:142)
org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:152)
dao.impl.EquipmentLedgerImpl.selectbyFenye(EquipmentLedgerImpl.java:77)
service.impl.EquipmentLedgerServiceImpl.Fenyeselect(EquipmentLedgerServiceImpl.java:61)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
org.springframework.ao
问题1:
是不是只要sql语句是预编译的就不会被sql注入
问题2:
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?//这是hibernate输出的语句
sql=select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc
Query q=sessionFactory.getCurrentSession().createSQLQuery(sql).addEntity(Equipmentledger.class);
List list=q.list()
可以得到list
但是我试着sql注入
sql=select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc//语句变成这样
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?
我把hibernate输出的语句在plsql上运行都是可以的,注释符号都起作用,但是sql注入的语句在程序中就报错
01:35:06,140 WARN JDBCExceptionReporter:77 - SQL Error: 17003, SQLState: null
01:35:06,140 ERROR JDBCExceptionReporter:78 - 无效的列索引
java.sql.SQLException: 无效的列索引
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:111)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:145)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:207)
oracle.jdbc.driver.OraclePreparedStatement.setIntInternal(OraclePreparedStatement.java:4570)
oracle.jdbc.driver.OraclePreparedStatement.setInt(OraclePreparedStatement.java:4562)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.logicalcobwebs.proxool.ProxyStatement.invoke(ProxyStatement.java:100)
org.logicalcobwebs.proxool.ProxyStatement.intercept(ProxyStatement.java:57)
oracle.jdbc.OracleStatement$$EnhancerByProxool$$90ca80fe.setInt(<generated>)
org.hibernate.loader.Loader.bindLimitParameters(Loader.java:1646)
org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1566)
org.hibernate.loader.Loader.doQuery(Loader.java:673)
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
org.hibernate.loader.Loader.doList(Loader.java:2220)
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2104)
org.hibernate.loader.Loader.list(Loader.java:2099)
org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:289)
org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1695)
org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:142)
org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:152)
dao.impl.EquipmentLedgerImpl.selectbyFenye(EquipmentLedgerImpl.java:77)
service.impl.EquipmentLedgerServiceImpl.Fenyeselect(EquipmentLedgerServiceImpl.java:61)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
org.springframework.ao
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
