如何解决如何解决SQL Injection Veracode问题-CWE 564
@Override
public AssetLibraryReference selectALRefByName(String entityName,String name) throws Exception {
AssetLibraryReference returnRef = null;
String query = "from " + entityName + " where name = :name ";
try {
returnRef = sessionQueryUtil.doSessionQuery(session -> {
// queryStr.append("from " + entityName + " where name = :name ");
Query q = session.createquery(query);
q.setString("name",name);
return (AssetLibraryReference)q.uniqueResult();
});
} catch (HibernateException e) {
LOG.error ("Caught hibernate exception",e);
e.printstacktrace();
throw e;
} catch (Exception e) {
LOG.error("Caught Exception :"+e.getMessage());
e.printstacktrace();
throw e;
}
return returnRef;
}
我在Query q = session.createquery(query);
遇到Veracode扫描错误。谁能帮我解决这个问题。我在这里可以用来解决此问题。 veracode的问题ID是CWE 564。
解决方法
改为使用query.setParameter命名,以防止SQL注入
@Override
public AssetLibraryReference selectALRefByName(String entityName,String name) throws Exception {
AssetLibraryReference returnRef = null;
String query = "from " + entityName + " where name = :name ";
try {
returnRef = sessionQueryUtil.doSessionQuery(session -> {
// queryStr.append("from " + entityName + " where name = :name ");
Query q = session.createQuery(query);
q.setParameter("name",name);
return (AssetLibraryReference)q.uniqueResult();
});
} catch (HibernateException e) {
LOG.error ("Caught hibernate exception",e);
e.printStackTrace();
throw e;
} catch (Exception e) {
LOG.error("Caught Exception :"+e.getMessage());
e.printStackTrace();
throw e;
}
return returnRef;
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。