从 Hibernate HQL 到 MySQL 的 SQL 注入删除/删除

Question

在 Hibenate HQL 中，是否可以将表或数据库作为选择查询的嵌套部分删除？

例如，

select name,email,(delete from Group) from User where 1=1 

或

select name,email,(drop table Group) from User where 1=1 

或者在where子句之后：

select name,email from User where 1=1;drop table Group;

在 where 子句场景中，我得到如下错误：

org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: ';' [ FROM com.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]; nested exception is org.hibernate.QueryException: unexpected char: ';' [ FROM com.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.hibernate.QueryException: unexpected char: ';' [ FROM com.verecloud.nimbus4.party.Group WHERE name = ?  ORDER BY name ASC ;drop table User;]
    ... 24 more

要求是在选择查询中检查可能的 SQL 注入。

Answer 1

SQL 注入需要结束一个语句，才能执行新的语句：

select name,email,(;delete from Group;) from User where 1=1 
select name,email from User where 1=1;drop table Group;

如果您使用bind SQL parameters，则可以防止 SQL 注入。

如果您动态生成 SQL SELECT（在运行时选择列），您应该使用 JPA Criteria 或 jOOQ。