java.sql.SQLException:sql 注入违规,不允许评论:select
java.sql.SQLException: sql injection violation, comment not allow : select
正如标题所说,我用SQL转select却报错。下面
Mapper中的SQL
<select id="selectBillDetailByBizIdAndClearType" resultMap="BaseResultMap">
select
<include refid="Base_Column_List" />
from dwd_clearing_bill_detail
where biz_detail_id in
<foreach collection="bizDetailIdList" item="item" index="index" open="(" separator="," close=")">
#{item}
</foreach>
and clear_type in
<foreach collection="clearTypeList" item="item" index="index" open="(" separator="," close=")">
#{item}
</foreach>
</select>
这是一个异常,表明以这种方式构建 SQL 语句是不安全的。
有人可以注入恶意 SQL 代码,检索敏感数据或 modify/remove 您的数据。请参阅 https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
正如标题所说,我用SQL转select却报错。下面
Mapper中的SQL<select id="selectBillDetailByBizIdAndClearType" resultMap="BaseResultMap">
select
<include refid="Base_Column_List" />
from dwd_clearing_bill_detail
where biz_detail_id in
<foreach collection="bizDetailIdList" item="item" index="index" open="(" separator="," close=")">
#{item}
</foreach>
and clear_type in
<foreach collection="clearTypeList" item="item" index="index" open="(" separator="," close=")">
#{item}
</foreach>
</select>
这是一个异常,表明以这种方式构建 SQL 语句是不安全的。 有人可以注入恶意 SQL 代码,检索敏感数据或 modify/remove 您的数据。请参阅 https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html