如何安全地将参数注入字符串数据库查询 java?
How to safely inject parameter into string DB query java?
我有这个 bigQuery 示例代码:
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
如果我想安全地将国家/地区注入该字符串
我该怎么做?
我想避免 sql 注入的风险,这是有风险的:
public void foo(String countryParam) {
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
}
更新
找不到 Elliott Brossard 建议的明确示例:
public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
QueryParameter param = new QueryParameter();
param.setName("country");
param.setParameterValue(new QueryParameterValue().setValue("USA"));
param.setParameterType(new QueryParameterType().setType("string"));
List<QueryParameter> params = new ArrayList<>();
params.add(param);
JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
jobConfigurationQuery.setQueryParameters(params);
jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]");
List<TableRow> rows =
executeQuery(
jobConfigurationQuery.toString(),
bigquery,
PROJECT_ID);
printResults(rows);
return null;
}
看看jobs.query reference. For the Java API, they are documented as part of JobConfigurationQuery. Note that query parameters are available only using standard SQL下的queryParameters。
我有这个 bigQuery 示例代码:
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
如果我想安全地将国家/地区注入该字符串
我该怎么做?
我想避免 sql 注入的风险,这是有风险的:
public void foo(String countryParam) {
List<TableRow> rows =
executeQuery(
"SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
+ "FROM [publicdata:samples.shakespeare]",
bigquery,
PROJECT_ID);
}
更新
找不到 Elliott Brossard 建议的明确示例:
public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
QueryParameter param = new QueryParameter();
param.setName("country");
param.setParameterValue(new QueryParameterValue().setValue("USA"));
param.setParameterType(new QueryParameterType().setType("string"));
List<QueryParameter> params = new ArrayList<>();
params.add(param);
JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
jobConfigurationQuery.setQueryParameters(params);
jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
+ "FROM [publicdata:samples.shakespeare]");
List<TableRow> rows =
executeQuery(
jobConfigurationQuery.toString(),
bigquery,
PROJECT_ID);
printResults(rows);
return null;
}
看看jobs.query reference. For the Java API, they are documented as part of JobConfigurationQuery. Note that query parameters are available only using standard SQL下的queryParameters。