一条统计语句提示sql注入

haorizi 发布于 2013/01/09 22:08
阅读 2K+
收藏 1

@wenshao 添加Wall后,一条统计语句提示sql injection violation,未加前这条语句正常。sql如下:

select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where {#condition#} group by DATE_FORMAT(staydate,'%Y-%m');

加载中
0
wenshao
wenshao
where {#condition#},这个地方真没有SQL注入?
haorizi
haorizi
没有,这是在拼查询条件。正常的行为。该怎么处理?
0
wenshao
wenshao
把一个拼出来的SQL发出来看看
0
haorizi
haorizi

引用来自“wenshao”的答案

把一个拼出来的SQL发出来看看
select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份
0
wenshao
wenshao

引用来自“haorizi”的答案

引用来自“wenshao”的答案

把一个拼出来的SQL发出来看看
select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份
我刚测试过,这个SQL是不会被拦截的,被拦截的肯定是其他拼的SQL,也许真的存在注入风险。把出错时被拦截的SQL发一个出来看!
0
haorizi
haorizi

引用来自“wenshao”的答案

引用来自“haorizi”的答案

引用来自“wenshao”的答案

把一个拼出来的SQL发出来看看
select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where DATE_FORMAT(staydate,'%Y')= 2012 group by DATE_FORMAT(staydate,'%Y-%m');  拼的是要统计的年份
我刚测试过,这个SQL是不会被拦截的,被拦截的肯定是其他拼的SQL,也许真的存在注入风险。把出错时被拦截的SQL发一个出来看!
java.sql.SQLException: sql injection violation : select count(*) from (select DATE_FORMAT(staydate,'%m月') as month,sum(a) as addnum,sum(q) as quitnum from (select staydate,1 as a,0 as q from add_person union all select quitdate,0 as a,1 as q from quit_person) t where  (DATE_FORMAT(staydate,'%Y')= ? )  group by DATE_FORMAT(staydate,'%Y-%m'))  tabletemp
        at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:313)
        at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:184)
0
wenshao
wenshao
druid什么版本?
0
wenshao
wenshao
配置是怎样的?
haorizi
haorizi
druid-0.2.10。<property name="filters">stat,wall</property> druid的配置完全参照文档中的配置的,wall的参数没做配置。
0
wenshao
wenshao
什么数据库类型?
haorizi
haorizi
mysql5.5
haorizi
haorizi
mysql
YANGL
YANGL
看这sql写的好像是ms sql吧,哈哈哈
0
wenshao
wenshao

谢谢反馈了这个问题,这是druid sql parser的一个bug。

问题已经修复,请下载最新版本(最后一个)的快照版本帮忙测试:http://code.alibabatech.com/mvn/snapshots/com/alibaba/druid/0.2.11-SNAPSHOT/

JIRA记录在这里:http://code.alibabatech.com/jira/browse/DRUID-194

haorizi
haorizi
V5。一会测一下再反馈。另外,你提到multiStatementAllow=true,这个风险很大哦!,但是企业应用中,点一个按钮背后执行多个语句挺常见的。比如点一个按钮执行的操作里有insert和update两条语句,这样算不算multi?
返回顶部
顶部