英文:
Maximo where clause SQL Injection
问题
我正在尝试编写一个Java定制,该定制在“WORKORDER”表上执行带有用户可输入的where子句的SQL查询。然而,这样做非常容易受到SQL注入攻击。我知道Maximo有某种形式的SQL where子句验证 - 允许用户在“WOTRACK ->高级查询->where子句”中输入where子句,并且根据我的实验,似乎在那里进行了某种验证以防止发生SQL注入。我正在寻找一种方法,以便在“WORKORDER”表上利用Maximo对用户where子句的验证,如果存在的话。具体而言,我正在寻找Maximo Java类中可以实现此目的的内容。
英文:
I am trying to write a Java customization that does a SQL query on the WORKORDER table using a where clause that a user can enter. However, this is super vulnerable to SQL injection. I know Maximo has some form of SQL where clause validation - users are allowed to enter where clauses in WOTRACK -> Advanced Query -> Where clause, and it seems from my experimenting that there is some sort of validation there to prevent SQL injection from happening. I am looking for a way to piggyback on Maximo's validation of user where clauses on the WORKORDER table, if one exists. Specifically looking for something in Maximo's Java classes that would accomplish this.
答案1
得分: 2
你可能会对 psdi.common.parse.ParserService 或 psdi.mbo.SqlFormat 类感兴趣。在 Maximo 的 JavaDocs 中查看。可能还有其他类,但这些是一个很好的起点。ParserService 甚至有一个 checkSqlInjection(where) 方法。
英文:
You may be interested in the psdi.common.parse.ParserService or psdi.mbo.SqlFormat classes. Check it out in Maximo's JavaDocs. There may be other classes, too, but those are good places to start. ParserService even has a checkSqlInjection(where) method.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论