1. 程式人生 > >Druid 之 java.sql.SQLException: sql injection violation

Druid 之 java.sql.SQLException: sql injection violation

當我們在專案中使用了druid連線池進行資料來源的管理,並且配置瞭如下監控

spring.datasource.filters: stat,wall,log4j

在執行程式拼接的SQL時,xml中使用的是${sql}進行執行的,這種方式會報如下錯誤:

2018-07-08 15:09:04.826 [http-nio-7073-exec-1] ERROR o.a.c.c.C.[.[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.jdbc.UncategorizedSQLException: 
### Error updating database.  Cause: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
### SQL: COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
### Cause: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
; uncategorized SQLException for SQL []; SQL state [null]; error code [0]; sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'; nested exception is java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN_201808 IS '規則執行計劃'] with root cause
這個錯誤告訴你,這種方式會造成SQL注入,當你又不得不用這種方式時,最簡單粗暴的方式就是將配置的wall去掉。