NutzCN Logo
问答 sql防注入问题。。
发布于 2560天前 作者 qq_36b64d67 2101 次浏览 复制 上一个帖子 下一个帖子
标签:

用$符号给参数赋值能不能防止sql注入?

9 回复

需要这样

sql.setVar("变量名", Sqls.escapeSqlFieldValue(变量值))

@wendal 出错了,错误如下

2017-12-19 14:37:42 DEBUG NutDaoExecutor:388 - CREATE USER 'cw'@'%' IDENTIFIED BY '111'
2017-12-19 14:37:42 DEBUG NutDaoExecutor:97 - SQLException
java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
	at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:727)
	at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:397)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
	at com.alibaba.druid.filter.FilterAdapter.statement_execute(FilterAdapter.java:2473)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
	at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:153)
	at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:497)
	at org.nutz.dao.impl.sql.run.NutDaoExecutor._runStatement(NutDaoExecutor.java:357)
	at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:60)
	at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:66)
	at org.nutz.dao.impl.interceptor.DaoLogInterceptor.filter(DaoLogInterceptor.java:22)
	at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:64)
	at org.nutz.dao.DaoInterceptorChain.invoke(DaoInterceptorChain.java:139)
	at org.nutz.dao.impl.sql.run.NutDaoRunner.runCallback(NutDaoRunner.java:158)
	at org.nutz.dao.impl.sql.run.NutDaoRunner._runWithoutTransaction(NutDaoRunner.java:125)
	at org.nutz.dao.impl.sql.run.NutDaoRunner._run(NutDaoRunner.java:92)
	at org.nutz.dao.impl.sql.run.NutDaoRunner.run(NutDaoRunner.java:81)
	at org.nutz.dao.impl.DaoSupport.run(DaoSupport.java:240)
	at org.nutz.dao.impl.DaoSupport._exec(DaoSupport.java:252)
	at org.nutz.dao.impl.DaoSupport.execute(DaoSupport.java:236)
	at org.nutz.dao.impl.NutDao.execute(NutDao.java:1008)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUsers(RelatingManagementModule.java:136)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUser(RelatingManagementModule.java:2217)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule$FM$addUser$8150908519862df4eaffc43c0a42ebc3.invoke(RelatingManagementModule.java)
	at org.nutz.mvc.impl.processor.MethodInvokeProcessor.process(MethodInvokeProcessor.java:31)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at com.yh.app.webser.common.mvc.UsbKeyCheckProcessor.process(UsbKeyCheckProcessor.java:42)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.AdaptorProcessor.process(AdaptorProcessor.java:30)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.integration.shiro.YHShiroProcessor.process(YHShiroProcessor.java:60)
	at org.nutz.mvc.impl.processor.ActionFiltersProcessor.process(ActionFiltersProcessor.java:62)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.integration.shiro.NutShiroProcessor.process(NutShiroProcessor.java:126)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.ModuleProcessor.process(ModuleProcessor.java:123)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.EncodingProcessor.process(EncodingProcessor.java:27)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.UpdateRequestAttributesProcessor.process(UpdateRequestAttributesProcessor.java:15)
	at org.nutz.mvc.impl.NutActionChain.doChain(NutActionChain.java:44)
	at org.nutz.mvc.impl.ActionInvoker.invoke(ActionInvoker.java:67)
	at org.nutz.mvc.ActionHandler.handle(ActionHandler.java:31)
	at org.nutz.mvc.NutFilter.doFilter(NutFilter.java:202)
	at com.yh.app.webser.common.mvc.YHwebFilter.doFilter(YHwebFilter.java:41)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:745)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
2017-12-19 14:37:49  WARN FailProcessor:46 - Error@/relatingManagement/addUser :
org.nutz.dao.DaoException: !Nutz SQL Error: 'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
PreparedStatement: 
'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
CaseMessage=sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
	at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:104)
	at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:66)
	at org.nutz.dao.impl.interceptor.DaoLogInterceptor.filter(DaoLogInterceptor.java:22)
	at org.nutz.dao.DaoInterceptorChain.doChain(DaoInterceptorChain.java:64)
	at org.nutz.dao.DaoInterceptorChain.invoke(DaoInterceptorChain.java:139)
	at org.nutz.dao.impl.sql.run.NutDaoRunner.runCallback(NutDaoRunner.java:158)
	at org.nutz.dao.impl.sql.run.NutDaoRunner._runWithoutTransaction(NutDaoRunner.java:125)
	at org.nutz.dao.impl.sql.run.NutDaoRunner._run(NutDaoRunner.java:92)
	at org.nutz.dao.impl.sql.run.NutDaoRunner.run(NutDaoRunner.java:81)
	at org.nutz.dao.impl.DaoSupport.run(DaoSupport.java:240)
	at org.nutz.dao.impl.DaoSupport._exec(DaoSupport.java:252)
	at org.nutz.dao.impl.DaoSupport.execute(DaoSupport.java:236)
	at org.nutz.dao.impl.NutDao.execute(NutDao.java:1008)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUsers(RelatingManagementModule.java:136)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule.addUser(RelatingManagementModule.java:2217)
	at com.yh.app.webser.module.manage.platformfunction.RelatingManagementModule$FM$addUser$8150908519862df4eaffc43c0a42ebc3.invoke(RelatingManagementModule.java)
	at org.nutz.mvc.impl.processor.MethodInvokeProcessor.process(MethodInvokeProcessor.java:31)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at com.yh.app.webser.common.mvc.UsbKeyCheckProcessor.process(UsbKeyCheckProcessor.java:42)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.AdaptorProcessor.process(AdaptorProcessor.java:30)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.integration.shiro.YHShiroProcessor.process(YHShiroProcessor.java:60)
	at org.nutz.mvc.impl.processor.ActionFiltersProcessor.process(ActionFiltersProcessor.java:62)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.integration.shiro.NutShiroProcessor.process(NutShiroProcessor.java:126)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.ModuleProcessor.process(ModuleProcessor.java:123)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.EncodingProcessor.process(EncodingProcessor.java:27)
	at org.nutz.mvc.impl.processor.AbstractProcessor.doNext(AbstractProcessor.java:44)
	at org.nutz.mvc.impl.processor.UpdateRequestAttributesProcessor.process(UpdateRequestAttributesProcessor.java:15)
	at org.nutz.mvc.impl.NutActionChain.doChain(NutActionChain.java:44)
	at org.nutz.mvc.impl.ActionInvoker.invoke(ActionInvoker.java:67)
	at org.nutz.mvc.ActionHandler.handle(ActionHandler.java:31)
	at org.nutz.mvc.NutFilter.doFilter(NutFilter.java:202)
	at com.yh.app.webser.common.mvc.YHwebFilter.doFilter(YHwebFilter.java:41)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:745)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'
	at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:727)
	at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:397)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
	at com.alibaba.druid.filter.FilterAdapter.statement_execute(FilterAdapter.java:2473)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2598)
	at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:153)
	at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:497)
	at org.nutz.dao.impl.sql.run.NutDaoExecutor._runStatement(NutDaoExecutor.java:357)
	at org.nutz.dao.impl.sql.run.NutDaoExecutor.exec(NutDaoExecutor.java:60)
	... 67 more
2017-12-19 14:37:49 ERROR FailProcessor:49 - 执行期间错误:org.nutz.dao.DaoException: !Nutz SQL Error: 'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
PreparedStatement: 
'CREATE USER 'cw'@'%' IDENTIFIED BY '111''
CaseMessage=sql injection violation, class com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCreateUserStatement not allow : CREATE USER 'cw'@'%' IDENTIFIED BY '111'

开启了druid的wall功能??

@wendal 不太清楚啊,这是代码

 Sql sql = Sqls.create("CREATE USER '$user'@'$host' IDENTIFIED BY '$pwd'");
        sql.setVar("user", Sqls.escapeSqlFieldValue(user));
        sql.setVar("host", Sqls.escapeSqlFieldValue(host));
        sql.setVar("pwd", Sqls.escapeSqlFieldValue(pwd));
        dao.execute(sql);

是druid的配置,看看dao.js和的吧.properties,应该能看到wall字样

@wendal 是这个么

filters: "config,wall,stat"

是的, 去掉wall吧

ok了,果然这样

添加回复
请先登陆
回到顶部