## 一条统计语句提示sql注入

haorizi 发布于 2013/01/09 22:08

@wenshao 添加Wall后，一条统计语句提示sql injection violation，未加前这条语句正常。sql如下：

select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where {#condition#} group by DATE_FORMAT(staydate,'%Y-%m');

0
where {#condition#}，这个地方真没有SQL注入？

0

0

#### 引用来自“wenshao”的答案

select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份
0

#### 引用来自“wenshao”的答案

select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份

0

#### 引用来自“wenshao”的答案

select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份

java.sql.SQLException: sql injection violation : select count(*) from (select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where  (DATE_FORMAT(staydate,'%Y')= ? )  group by DATE_FORMAT(staydate,'%Y-%m'))  tabletemp
at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:313)
at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:184)
0
druid什么版本？
0

druid-0.2.10。<property name="filters">stat,wall</property> druid的配置完全参照文档中的配置的，wall的参数没做配置。
0

mysql5.5
mysql

0

V5。一会测一下再反馈。另外，你提到multiStatementAllow=true，这个风险很大哦！，但是企业应用中，点一个按钮背后执行多个语句挺常见的。比如点一个按钮执行的操作里有insert和update两条语句，这样算不算multi?