1

我有多个 HQL 语句易受 SQL 注入示例的影响:

public List<Person> SearchList(String userName, String firstName, String lastName, String email) Exception {
   List<Person> personList = new ArrayList<>();
   String hql = " FROM **.***.***.entity.Person P WHERE ";
   boolean buName = false;
   boolean bfName = false;
   if (StringUtils.isNotEmpty(userName)){
      hql = hql + "lower(P.userName) like :userName "; 
      buName = true;
   }
   if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)){    
      if(buName){
         hql = hql + " OR ";
      }
      hql = hql + "(lower(P.firstName) like :firstName AND lower(P.lastName) like :lastName) ";  
      bfName = true;    
   }
   if (StringUtils.isNotEmpty(internetAddr)){    
      if(buName || bfName){
         hql = hql + " OR ";
      }
      hql = hql + "lower(P.email) = :email"; 
   }
   try {
      Query query = getCurrentSession().createQuery(hql);
        
      if (StringUtils.isNotEmpty(userName)) {
         query.setParameter("userName", '%'+userName.toLowerCase()+'%');
      } else if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
         query.setParameter("firstName", '%'+firstName.toLowerCase()+'%');
         query.setParameter("lastName", '%'+lastName.toLowerCase()+'%');
      } else if (StringUtils.isNotEmpty(email)) {
         query.setParameter("email", email.toLowerCase());
      }

      personList = query.list();
   } catch(Exception e){
      throw new Exception(e.getMessage());
   }
   return personList;
}

在这里,我避免在查询中进行连接"'%" + userName + "%'"以避免 SQL 注入漏洞,现在我看到与

Named parameters not bound: lastname

这发生在使用搜索的基础上firstname。我怎样才能避免这种情况?

4

1 回答 1

1

你应该纠正这个:

if (StringUtils.isNotEmpty(userName)) {
   query.setParameter("userName", '%'+userName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
   query.setParameter("firstName", '%'+firstName.toLowerCase()+'%');
   query.setParameter("lastName", '%'+lastName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(email)) {
   query.setParameter("email", email.toLowerCase());
}

对此:

if (StringUtils.isNotEmpty(userName)) {
   query.setParameter("userName", '%'+userName.toLowerCase()+'%');
}
if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
   query.setParameter("firstName", '%'+firstName.toLowerCase()+'%');
   query.setParameter("lastName", '%'+lastName.toLowerCase()+'%');
}
if (StringUtils.isNotEmpty(email)) {
   query.setParameter("email", email.toLowerCase());
}

因为您应该将命名参数添加到 HQL 并通过query.setParameter一致地设置它们。

笔记

我避免在查询“'%”+用户名+“%'”中连接以避免 SQL 注入漏洞

您可以在 HQL中使用连接(操作) ,如下所示:

... 
lower(P.userName) like '%' || :userName || '%'
...

它也可以让你避免 SQL 注入。但请注意,这like很可能会导致全表扫描

于 2021-05-25T11:26:21.877 回答