本文介绍了如何安全注入参数到字符串DB查询java?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有这个bigQuery范例程式码:

I have this bigQuery example code:

List<TableRow> rows =
                executeQuery(
                        "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
                                + "FROM [publicdata:samples.shakespeare]",
                        bigquery,
                        PROJECT_ID);

如果我想将国家安全注入该字符串

If i want to safely inject the country to that string

我如何做到这一点?

我想避免sql注入的风险,这是有风险的:

I want to avoid the risk of sql injection and this is risky:

public void foo(String countryParam) {
    List<TableRow> rows =
                    executeQuery(
                            "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = '"+countryParam+"' " +
                                    + "FROM [publicdata:samples.shakespeare]",
                            bigquery,
                            PROJECT_ID);
}

更新

找不到Elliott Brossard建议的清楚例子:

couldn't find a clear example to Elliott Brossard suggestion:

public List<String> getVenuesForBrand(BrandChangeDataUi brandChangeDataUi) throws IOException {
    QueryParameter param = new QueryParameter();
    param.setName("country");
    param.setParameterValue(new QueryParameterValue().setValue("USA"));
    param.setParameterType(new QueryParameterType().setType("string"));

    List<QueryParameter> params =  new ArrayList<>();
    params.add(param);

    JobConfigurationQuery jobConfigurationQuery = new JobConfigurationQuery();
    jobConfigurationQuery.setQueryParameters(params);

    jobConfigurationQuery.setQuery( "SELECT TOP(corpus, 10) as title, COUNT(*) as unique_words Where country = 'USA' " +
                                    + "FROM [publicdata:samples.shakespeare]");



    List<TableRow> rows =
            executeQuery(
                    jobConfigurationQuery.toString(),
                    bigquery,
                    PROJECT_ID);

    printResults(rows);

    return null;
}


推荐答案

查看 queryParameters 下的。对于Java API,它们作为。请注意,查询参数只能使用。

这篇关于如何安全注入参数到字符串DB查询java?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-29 11:41