java.sql.SQLException: sql injection violation, syntax error: TODO : pos 872, line 15, column 43, token UNION : SELECT asewo.code_s as code,asewo.order_type_s as orderType,asewo.equipment_name_s as equipmentName,asewo.executor_s as executor, asewo.plan_start_time_T as planStartTime,asewo.plan_finish_time_T as planFinishTime,asewo.tpm_key_s as tpmKey,asewo.shop_s as shop, asewo.line_S as line,asewo.actual_start_time_t as startTime,asewo.actual_finish_time_t as finishTime,asewo.executor_account_s as executorAccounts, asewo.source_type_s as sourceType,asewo.SOURCE_ORDER_S as sourceOrder,asewo.CREATION_TIME as creationTime FROM AT_AS_EM_Work_Order asewo WHERE to_char(asewo.plan_start_time_T,'yyyy_mm-dd hh24:mi') <= to_char(plan_finish_time_T,'yyyy_mm_dd hh24:mi') AND asewo.ORDER_STATUS_S='创建' AND asewo.executor_s=? ORDER BY asewo.creation_time DESC Union All SELECT asewo.code_s as code,asewo.order_type_s as orderType,asewo.equipment_name_s as equipmentName,asewo.executor_s as executor, asewo.plan_start_time_T as planStartTime,asewo.plan_finish_time_T as planFinishTime,asewo.tpm_key_s as tpmKey,asewo.shop_s as shop, asewo.line_S as line,asewo.actual_start_time_t as startTime,asewo.actual_finish_time_t as finishTime,asewo.executor_account_s as executorAccounts, asewo.source_type_s as sourceType,asewo.SOURCE_ORDER_S as sourceOrder,asewo.CREATION_TIME as creationTime FROM AT_AS_EM_Work_Order asewo WHERE asewo.ORDER_STATUS_S='创建' AND asewo.executor_s=? ORDER BY asewo.creation_time DESC如何改
时间: 2024-03-27 07:39:05 浏览: 23
这段代码是一个SQL查询语句,其中包含了一个UNION操作符,因此可能存在SQL注入漏洞。如果要避免注入漏洞,可以使用参数化查询来构建SQL语句。具体来说,可以将查询中的变量使用占位符(如?)代替,然后在执行查询时将变量的值传递给占位符。这样可以确保输入的变量不会被当做SQL语句的一部分来解释,从而避免注入攻击。
以下是一个使用参数化查询的示例代码:
```java
String sql = "SELECT asewo.code_s as code,asewo.order_type_s as orderType,asewo.equipment_name_s as equipmentName,asewo.executor_s as executor, "
+ "asewo.plan_start_time_T as planStartTime,asewo.plan_finish_time_T as planFinishTime,asewo.tpm_key_s as tpmKey,asewo.shop_s as shop, "
+ "asewo.line_S as line,asewo.actual_start_time_t as startTime,asewo.actual_finish_time_t as finishTime,asewo.executor_account_s as executorAccounts, "
+ "asewo.source_type_s as sourceType,asewo.SOURCE_ORDER_S as sourceOrder,asewo.CREATION_TIME as creationTime "
+ "FROM AT_AS_EM_Work_Order asewo "
+ "WHERE to_char(asewo.plan_start_time_T,'yyyy_mm-dd hh24:mi') <= to_char(plan_finish_time_T,'yyyy_mm_dd hh24:mi') "
+ "AND asewo.ORDER_STATUS_S='创建' "
+ "AND asewo.executor_s=? "
+ "ORDER BY asewo.creation_time DESC "
+ "UNION All "
+ "SELECT asewo.code_s as code,asewo.order_type_s as orderType,asewo.equipment_name_s as equipmentName,asewo.executor_s as executor, "
+ "asewo.plan_start_time_T as planStartTime,asewo.plan_finish_time_T as planFinishTime,asewo.tpm_key_s as tpmKey,asewo.shop_s as shop, "
+ "asewo.line_S as line,asewo.actual_start_time_t as startTime,asewo.actual_finish_time_t as finishTime,asewo.executor_account_s as executorAccounts, "
+ "asewo.source_type_s as sourceType,asewo.SOURCE_ORDER_S as sourceOrder,asewo.CREATION_TIME as creationTime "
+ "FROM AT_AS_EM_Work_Order asewo "
+ "WHERE asewo.ORDER_STATUS_S='创建' "
+ "AND asewo.executor_s=? "
+ "ORDER BY asewo.creation_time DESC";
PreparedStatement stmt = connection.prepareStatement(sql);
stmt.setString(1, executor);
stmt.setString(2, executor);
ResultSet rs = stmt.executeQuery();
```
在上面的代码中,使用`PreparedStatement`来创建查询语句,并将占位符替换为变量。然后可以使用`setString`等方法来设置变量的值,最后执行查询并获取结果。通过使用参数化查询,可以有效地避免SQL注入漏洞。
相关推荐
![pdf](https://img-home.csdnimg.cn/images/20210720083512.png)
![pdf](https://img-home.csdnimg.cn/images/20210720083512.png)
![pdf](https://img-home.csdnimg.cn/images/20210720083512.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)