问题1:
是不是只要sql语句是预编译的就不会被sql注入
问题2:
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?//这是hibernate输出的语句
sql=select * from tdjb_equipmentledger where czdyzgdj='110' and ycsbmc like '%故障%' order by id desc
Query q=sessionFactory.getCurrentSession().createSQLQuery(sql).addEntity(Equipmentledger.class);
List list=q.list()
可以得到list
但是我试着sql注入
sql=select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc//语句变成这样
hibernate:select * from ( select * from tdjb_equipmentledger where czdyzgdj='110')--' and ycsbmc like '%故障%' order by id desc ) where rownum <= ?
我把hibernate输出的语句在plsql上运行都是可以的,注释符号都起作用,但是sql注入的语句在程序中就报错
01:35:06,140 WARN JDBCExceptionReporter:77 - SQL Error: 17003, SQLState: null
01:35:06,140 ERROR JDBCExceptionReporter:78 - 无效的列索引
java.sql.SQLException: 无效的列索引
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:111)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:145)
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:207)
oracle.jdbc.driver.OraclePreparedStatement.setIntInternal(OraclePreparedStatement.java:4570)
oracle.jdbc.driver.OraclePreparedStatement.setInt(OraclePreparedStatement.java:4562)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.logicalcobwebs.proxool.ProxyStatement.invoke(ProxyStatement.java:100)
org.logicalcobwebs.proxool.ProxyStatement.intercept(ProxyStatement.java:57)
oracle.jdbc.OracleStatement$$EnhancerByProxool$$90ca80fe.setInt(<generated>)
org.hibernate.loader.Loader.bindLimitParameters(Loader.java:1646)
org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1566)
org.hibernate.loader.Loader.doQuery(Loader.java:673)
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
org.hibernate.loader.Loader.doList(Loader.java:2220)
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2104)
org.hibernate.loader.Loader.list(Loader.java:2099)
org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:289)
org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1695)
org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:142)
org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:152)
dao.impl.EquipmentLedgerImpl.selectbyFenye(EquipmentLedgerImpl.java:77)
service.impl.EquipmentLedgerServiceImpl.Fenyeselect(EquipmentLedgerServiceImpl.java:61)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
$Proxy0.Fenyeselect(Unknown Source)
action.EquipmentLedgerAction.feny2(EquipmentLedgerAction.java:269)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:452)
com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:291)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:254)
com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:176)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263)
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:133)