在 Spring Boot 中使用 jdbcTemplate 执行带有动态占位符的 HANA 查询
HANA query with dynamic placeholder executed using jdbcTemplate in Spring Boot
我有一些依赖于 PLACEHOLDER 输入的 HANA 查询。此输入目前是硬编码的,这导致 Veracode 检测到 SQL 注入漏洞。
为了解决这个问题,我尝试使用 PreparedStatement 参数化给 PLACEHOLDER 的值,但出现以下错误:
PreparedStatementCallback; uncategorized SQLException for SQL [SELECT * FROM some_table (PLACEHOLDER.\"$$<IP_SOME_COLUMN>$$\" => ?) WHERE some_flag = ?; ]; SQL state [HY000]; error code [2048]; SAP DBTech JDBC: [2048]: column store error: search table error: [34023] Instantiation of calculation model failed;exception 306002: An internal error occurred\n; nested exception is com.sap.db.jdbc.exceptions.JDBCDriverException: SAP DBTech JDBC: [2048]: column store error: search table error: [34023] Instantiation of calculation model failed;exception 306002: An internal error occurred
我已经检查 solution and gone through the documentation SAP HANA 中的输入参数。下面是我的代码:
String sqlQuery = SELECT * FROM some_table ( PLACEHOLDER.\"$$<IP_SOME_COLUMN>$$\" => ? ) WHERE some_flag = ? ;
PreparedStatementSetter preparedStatementSetter = (PreparedStatement ps) -> {
ps.setString(1, firstInput);
ps.setString(2, secondInput);
}
ResultSetExtractor<T> rse = new DataResultSetExtractor();
getJdbcTemplate().query(sqlQuery, preparedStatementSetter, rse);
同样适用于硬编码方式(易于 SQL 注入):
StringBuffer sql = new StringBuffer();
sql.append("SELECT * FROM some_table ").append("( 'PLACEHOLDER' = ('$$IP_SOME_COLUMN$$',").append(firstColumnValue).append("))");
//Map<String,Object> paramMap = new HashMap<String,Object>();
//getNamedParameterJdbcTemplate().query(sql.toString(), paramMap, rse);
如何修复此错误?
解决了问题。看来,在新语法中,您需要用单引号而不是三重单引号
提供输入参数
作品:'foo'
无效:'''bar'''
我有一些依赖于 PLACEHOLDER 输入的 HANA 查询。此输入目前是硬编码的,这导致 Veracode 检测到 SQL 注入漏洞。
为了解决这个问题,我尝试使用 PreparedStatement 参数化给 PLACEHOLDER 的值,但出现以下错误:
PreparedStatementCallback; uncategorized SQLException for SQL [SELECT * FROM some_table (PLACEHOLDER.\"$$<IP_SOME_COLUMN>$$\" => ?) WHERE some_flag = ?; ]; SQL state [HY000]; error code [2048]; SAP DBTech JDBC: [2048]: column store error: search table error: [34023] Instantiation of calculation model failed;exception 306002: An internal error occurred\n; nested exception is com.sap.db.jdbc.exceptions.JDBCDriverException: SAP DBTech JDBC: [2048]: column store error: search table error: [34023] Instantiation of calculation model failed;exception 306002: An internal error occurred
我已经检查
String sqlQuery = SELECT * FROM some_table ( PLACEHOLDER.\"$$<IP_SOME_COLUMN>$$\" => ? ) WHERE some_flag = ? ;
PreparedStatementSetter preparedStatementSetter = (PreparedStatement ps) -> {
ps.setString(1, firstInput);
ps.setString(2, secondInput);
}
ResultSetExtractor<T> rse = new DataResultSetExtractor();
getJdbcTemplate().query(sqlQuery, preparedStatementSetter, rse);
同样适用于硬编码方式(易于 SQL 注入):
StringBuffer sql = new StringBuffer();
sql.append("SELECT * FROM some_table ").append("( 'PLACEHOLDER' = ('$$IP_SOME_COLUMN$$',").append(firstColumnValue).append("))");
//Map<String,Object> paramMap = new HashMap<String,Object>();
//getNamedParameterJdbcTemplate().query(sql.toString(), paramMap, rse);
如何修复此错误?
解决了问题。看来,在新语法中,您需要用单引号而不是三重单引号
提供输入参数作品:'foo'
无效:'''bar'''