日期:2014-05-20  浏览次数:20946 次

oracle存储过程防止sql注入的问题。。。。。。。。。。。。。。。。。。。。。。。。。。。。
我用open cursor1 for v_sqlstring动态打开游标,那个v_sqlstring是一个查询语句,为了防止查询条件有单引号之类的特殊符号,我用replace替换掉了单引号。
但是要查询的内容有单引号,要把这条含有单引号的内容查出来的话,就查不出了,什么办???




select replace(projectname,'''','') into projectname_temp from dual;这个地方把查询条件projectname里的单引号去掉了,但是如果这个字段里的数据有单引号的话,就查不出来了。。

SQL code

CREATE OR REPLACE function certificatefunction1
(
    projectstate in int,
    projectname in varchar,
    startDateMin in varchar,
    startDateMax in varchar,
    endDateMin in varchar,
    endDateMax in varchar,
    certificateType in int,
    versions in varchar
    ) return sys_refcursor
as
  cursor1 sys_refcursor;
  projectname_temp varchar(50);
  sqlstr varchar(2000);
begin
  sqlstr := sqlstr || ' select pp.profile_Id,pp.name,pp.version,pp.start_Date,pp.end_Date,pci.certificate_Type ';
  sqlstr := sqlstr || ' from Project_Profile pp,Project_Certificate_Info pci ';
  sqlstr := sqlstr || ' where pp.profile_Id = pci.profile_Id ';
  sqlstr := sqlstr || ' and pp.status != ' || projectstate;
  
  if projectname is not null then
   select replace(projectname,'''','') into projectname_temp from dual;
   sqlstr := sqlstr || ' and pp.name like ''%' || projectname_temp || '%''';
  end if;
  
  if startDateMin is not null then
   sqlstr := sqlstr || ' and pp.start_date >= to_date(''' || startDateMin || ''',''yyyy-mm-dd'')';
  end if;
  
  if startDateMax is not null then
   sqlstr := sqlstr || ' and pp.start_date < to_date(''' || startDateMax || ''',''yyyy-mm-dd'')';
  end if;
  
  if endDateMin is not null then
   sqlstr := sqlstr || ' and pp.end_date >= to_date(''' || endDateMin || ''',''yyyy-mm-dd'')';
  end if;
  
  if endDateMax is not null then
   sqlstr := sqlstr || ' and pp.end_date <= to_date(''' || endDateMax || ''',''yyyy-mm-dd'')';
  end if;
  
  if certificateType != -1 then
   sqlstr := sqlstr || ' and pci.certificate_Type = ' || certificateType;
  end if;
  
  if versions is not null then
   sqlstr := sqlstr || ' and pp.version like ''%' || versions || '%''';
  end if;
  
  sqlstr := sqlstr || ' order by pp.profile_Id desc ';
  
  open cursor1 for sqlstr;
  
  return cursor1;
end certificatefunction1;



------解决方案--------------------
针对projectname 特殊处理
if projectname is not null then
sqlstr := sqlstr || ' and pp.name like ''%?%''';
end if;

if projectname is not null then
open cursor1 for sqlstr using projectname 
elsif then
open cursor1 for sqlstr;
end if

我的异常网推荐解决方案:oracle存储过程,http://www.myexception.cn/oracle-develop/177537.html