Skip to content

It is recommended to change the jdbctemplate to NamedJdbcTemplate,avoid sql injection #9848

Open
@beijixing1745

Description

@beijixing1745

It is recommended to change the jdbctemplate to NamedJdbcTemplate。

1.jdbctemplate set param by position,The query parameter has no value, resulting in the SQL statement not meeting the expectation。
2.NamedJdbcTemplate set param,Don't worry about the position of parameters in the sql statement。use NamedJdbcTemplate can avoid sql injection。
3.Some sql parameters may cause sql injection through string+assignment.
like "SELECT data_id,group_id,tenant_id,datum_id,app_name,content FROM config_info_aggr WHERE data_id= ? AND "
+ "group_id= ? AND tenant_id= ? ORDER BY datum_id LIMIT " + startRow + "," + pageSize;

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions