用$符号给参数赋值能不能防止sql注入?
9 回复
@wendal 出错了,错误如下
2017-12-19 14:37:42 DEBUG NutDaoExecutor:388 - CREATE USER 'cw'@'%' IDENTIFIED BY '111'
2017-12-19 14:37:42 DEBUG NutDaoExecutor:97 - SQLException
java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:727)
at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:397)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
at com.alibaba.druid.filter.FilterAdapter.statement_execute(FilterAdapter.java:2473)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:153)
at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:497)
at org.nutz.dao.impl.sql.run.NutDaoExecutor._runStatement(NutDaoExecutor.java:357)
at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:60)
at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:66)
at org.nutz.dao.impl.interceptor.DaoLogInterceptor.filter(DaoLogInterceptor.java:22)
at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:64)
at org.nutz.dao.DaoInterceptorChain.invoke(DaoInterceptorChain.java:139)
at org.nutz.dao.impl.sql.run.NutDaoRunner.runCallback(NutDaoRunner.java:158)
at org.nutz.dao.impl.sql.run.NutDaoRunner._runWithoutTransaction(NutDaoRunner.java:125)
at org.nutz.dao.impl.sql.run.NutDaoRunner._run(NutDaoRunner.java:92)
at org.nutz.dao.impl.sql.run.NutDaoRunner.run(NutDaoRunner.java:81)
at org.nutz.dao.impl.DaoSupport.run(DaoSupport.java:240)
at org.nutz.dao.impl.DaoSupport._exec(DaoSupport.java:252)
at org.nutz.dao.impl.DaoSupport.execute(DaoSupport.java:236)
at org.nutz.dao.impl.NutDao.execute(NutDao.java:1008)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUsers(RelatingManagementModule.java:136)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUser(RelatingManagementModule.java:2217)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule$FM$addUser$8150908519862df4eaffc43c0a42ebc3.invoke(RelatingManagementModule.java)
at org.nutz.mvc.impl.processor.MethodInvokeProcessor.process(MethodInvokeProcessor.java:31)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at com.yh.app.webser.common.mvc.UsbKeyCheckProcessor.process(UsbKeyCheckProcessor.java:42)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.AdaptorProcessor.process(AdaptorProcessor.java:30)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.integration.shiro.YHShiroProcessor.process(YHShiroProcessor.java:60)
at org.nutz.mvc.impl.processor.ActionFiltersProcessor.process(ActionFiltersProcessor.java:62)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.integration.shiro.NutShiroProcessor.process(NutShiroProcessor.java:126)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.ModuleProcessor.process(ModuleProcessor.java:123)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.EncodingProcessor.process(EncodingProcessor.java:27)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.UpdateRequestAttributesProcessor.process(UpdateRequestAttributesProcessor.java:15)
at org.nutz.mvc.impl.NutActionChain.doChain(NutActionChain.java:44)
at org.nutz.mvc.impl.ActionInvoker.invoke(ActionInvoker.java:67)
at org.nutz.mvc.ActionHandler.handle(ActionHandler.java:31)
at org.nutz.mvc.NutFilter.doFilter(NutFilter.java:202)
at com.yh.app.webser.common.mvc.YHwebFilter.doFilter(YHwebFilter.java:41)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:123)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:745)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2017-12-19 14:37:49 WARN FailProcessor:46 - Error@/relatingManagement/addUser :
org.nutz.dao.DaoException: !Nutz SQL Error: 'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
PreparedStatement:
'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
CaseMessage=sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:104)
at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:66)
at org.nutz.dao.impl.interceptor.DaoLogInterceptor.filter(DaoLogInterceptor.java:22)
at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:64)
at org.nutz.dao.DaoInterceptorChain.invoke(DaoInterceptorChain.java:139)
at org.nutz.dao.impl.sql.run.NutDaoRunner.runCallback(NutDaoRunner.java:158)
at org.nutz.dao.impl.sql.run.NutDaoRunner._runWithoutTransaction(NutDaoRunner.java:125)
at org.nutz.dao.impl.sql.run.NutDaoRunner._run(NutDaoRunner.java:92)
at org.nutz.dao.impl.sql.run.NutDaoRunner.run(NutDaoRunner.java:81)
at org.nutz.dao.impl.DaoSupport.run(DaoSupport.java:240)
at org.nutz.dao.impl.DaoSupport._exec(DaoSupport.java:252)
at org.nutz.dao.impl.DaoSupport.execute(DaoSupport.java:236)
at org.nutz.dao.impl.NutDao.execute(NutDao.java:1008)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUsers(RelatingManagementModule.java:136)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUser(RelatingManagementModule.java:2217)
at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule$FM$addUser$8150908519862df4eaffc43c0a42ebc3.invoke(RelatingManagementModule.java)
at org.nutz.mvc.impl.processor.MethodInvokeProcessor.process(MethodInvokeProcessor.java:31)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at com.yh.app.webser.common.mvc.UsbKeyCheckProcessor.process(UsbKeyCheckProcessor.java:42)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.AdaptorProcessor.process(AdaptorProcessor.java:30)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.integration.shiro.YHShiroProcessor.process(YHShiroProcessor.java:60)
at org.nutz.mvc.impl.processor.ActionFiltersProcessor.process(ActionFiltersProcessor.java:62)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.integration.shiro.NutShiroProcessor.process(NutShiroProcessor.java:126)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.ModuleProcessor.process(ModuleProcessor.java:123)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.EncodingProcessor.process(EncodingProcessor.java:27)
at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
at org.nutz.mvc.impl.processor.UpdateRequestAttributesProcessor.process(UpdateRequestAttributesProcessor.java:15)
at org.nutz.mvc.impl.NutActionChain.doChain(NutActionChain.java:44)
at org.nutz.mvc.impl.ActionInvoker.invoke(ActionInvoker.java:67)
at org.nutz.mvc.ActionHandler.handle(ActionHandler.java:31)
at org.nutz.mvc.NutFilter.doFilter(NutFilter.java:202)
at com.yh.app.webser.common.mvc.YHwebFilter.doFilter(YHwebFilter.java:41)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:123)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:745)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:727)
at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:397)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
at com.alibaba.druid.filter.FilterAdapter.statement_execute(FilterAdapter.java:2473)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:153)
at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:497)
at org.nutz.dao.impl.sql.run.NutDaoExecutor._runStatement(NutDaoExecutor.java:357)
at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:60)
... 67 more
2017-12-19 14:37:49 ERROR FailProcessor:49 - 执行期间错误:org.nutz.dao.DaoException: !Nutz SQL Error: 'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
PreparedStatement:
'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
CaseMessage=sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
@wendal 不太清楚啊,这是代码
Sql sql = Sqls.create("CREATE USER '$user'@'$host' IDENTIFIED BY '$pwd'");
sql.setVar("user", Sqls.escapeSqlFieldValue(user));
sql.setVar("host", Sqls.escapeSqlFieldValue(host));
sql.setVar("pwd", Sqls.escapeSqlFieldValue(pwd));
dao.execute(sql);
添加回复
请先登陆