英文:
Conditional NULL check in prepared statement Sonar error
问题
我正在尝试在Java中编写一个准备好的语句,以有条件地过滤包含或不包含某个字段的行。然而,Sonar给我一个语法检查错误:这种使用java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; 可能会对SQL注入(使用JDBC)产生漏洞
。查询如下:
String query = "SELECT * from my_table t " +
"WHERE t.connection_id IS " + (connected ? "NOT " : "") + "NULL " +
(search.isEmpty() ? "" : "AND (t.source LIKE ?)");
PreparedStatement statement = connection.prepareStatement(query);
有趣的是,当我只有搜索条件时,我没有收到错误 - 所以我预期要么搜索和筛选两者都会出错,要么两者都不会出错。
我还尝试将第二行更改为:
"WHERE " + (connected ? "t.connection_id IS NOT NULL " : "t.connection_id IS NULL ") +
但没有改变。我是否漏掉了什么?是否有什么我可以做来修复错误,还是应该忽略它?
英文:
I'm trying to write a prepared statement in Java to conditionally filter for rows that contain or not a certain field. However, Sonar gives me a linter error: This use of java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC)
. The query looks like this:
String query = "SELECT * from my_table t " +
"WHERE t.connection_id IS " + (connected ? "NOT " : "") + "NULL " +
(search.isEmpty() ? "" : "AND (t.source LIKE ?)");
PreparedStatement statement = connection.prepareStatement(query);
What's interesting is that I didn't get the error when I only had the search in place - so I expected to have the error for either both the search and the filter, or for neither of them.
I have tried also to change the second line to:
"WHERE " + (connected ? "t.connection_id IS NOT NULL " : "t.connection_id IS NULL ") +
but no change. Am I missing something? Is there something I can do to fix the error, or should I just ignore it?
答案1
得分: 1
Your query (as shown) is correct and is not actually vulnerable to SQL injection. That said, there are difficulties in writing a static code analyzer. It sees that you are building a SQL query and concatenating based on input which is THE classic marker for a SQL injection vulnerability.
This is one of those situations where it's probably easier just to refactor your code than to try to fix the tool. Tools like Sonar really are great and they find a lot of good stuff, but sometimes you get a false positive. I would NOT just ignore it ... you don't want to get in the habit of ignoring warnings about something like SQL Injection.
英文:
Your query (as shown) is correct and is not actually vulnerable to SQL injection. That said, there are difficulties in writing a static code analyzer. It sees that you are building a SQL query and concatenating based on input which is THE classic marker for a SQL injection vulnerability.
This is one of those situations where it's probably easier just to refactor your code than to try to fix the tool. Tools like Sonar really are great and they find a lot of good stuff, but sometimes you get a false positive. I would NOT just ignore it ... you don't want to get in the habit of ignoring warnings about something like SQL Injection.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论