PreparedStatement를 사용하여 SQL 주입을 방지할 때 전체 SQL 문장을 출력합니다
이유:
Prepared Statement 인터페이스는 봉인된 sql 문장을 직접 출력할 수 있는 방법을 제공하지 않았기 때문에 여기서 비교적 실용적인 종류를 찾았습니다. 직접 쓰고 한 번에 쓰면 평생 이익을 얻을 수 있습니다.구체적인 코드는 다음과 같다.
코드:
특히 앞의 몇 가지 방법을 주의하고 Prepared Statement 인터페이스를 실현하여 안의 모든 방법을 직접 복사한 다음에 적은 방법이 있으면 자동으로 추가하면 된다.
import java.io.InputStream;
import java.io.Reader;
import java.math.BigDecimal;
import java.net.URL;
import java.sql.Array;
import java.sql.Blob;
import java.sql.Clob;
import java.sql.Connection;
import java.sql.Date;
import java.sql.NClob;
import java.sql.ParameterMetaData;
import java.sql.PreparedStatement;
import java.sql.Ref;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.RowId;
import java.sql.SQLException;
import java.sql.SQLWarning;
import java.sql.SQLXML;
import java.sql.Time;
import java.sql.Timestamp;
import java.util.ArrayList;
import java.util.Calendar;
/**
*
* :CFR
* :LoggableStatement
* : PreparedStatement, sql , sql
* :2010-6-22 10:47:39
* @version 1.0
* @author zhh
* *
*/
public class LoggableStatement implements PreparedStatement {
/** used for storing parameter values needed for producing log */
private ArrayList parameterValues;
/** the query string with question marks as parameter placeholders */
private String sqlTemplate;
/** a statement created from a real database connection */
private PreparedStatement wrappedStatement;
public LoggableStatement(Connection connection, String sql)
throws SQLException {
// use connection to make a prepared statement
wrappedStatement = connection.prepareStatement(sql);
sqlTemplate = sql;
parameterValues = new ArrayList();
}
private void saveQueryParamValue(int position, Object obj) {
String strValue;
if (obj instanceof String || obj instanceof Date) {
// if we have a String, include '' in the saved value
strValue = "'" + obj + "'";
} else {
if (obj == null) {
// convert null to the string null
strValue = "null";
} else {
// unknown object (includes all Numbers), just call toString
strValue = obj.toString();
}
}
// if we are setting a position larger than current size of
// parameterValues, first make it larger
while (position >= parameterValues.size()) {
parameterValues.add(null);
}
// save the parameter
parameterValues.set(position, strValue);
}
// ArrayList sql , sql
public String getQueryString() {
int len = sqlTemplate.length();
StringBuffer t = new StringBuffer(len * 2);
if (parameterValues != null) {
int i = 1, limit = 0, base = 0;
while ((limit = sqlTemplate.indexOf('?', limit)) != -1) {
t.append(sqlTemplate.substring(base, limit));
t.append(parameterValues.get(i));
i++;
limit++;
base = limit;
}
if (base < len) {
t.append(sqlTemplate.substring(base));
}
}
return t.toString();
}
public void addBatch() throws SQLException {
wrappedStatement.addBatch();
}
public void clearParameters() throws SQLException {
wrappedStatement.clearParameters();
}
public boolean execute() throws SQLException {
return wrappedStatement.execute();
}
public ResultSet executeQuery() throws SQLException {
return wrappedStatement.executeQuery();
}
public int executeUpdate() throws SQLException {
return wrappedStatement.executeUpdate();
}
public ResultSetMetaData getMetaData() throws SQLException {
return wrappedStatement.getMetaData();
}
public ParameterMetaData getParameterMetaData() throws SQLException {
return wrappedStatement.getParameterMetaData();
}
public void setArray(int i, Array x) throws SQLException {
wrappedStatement.setArray(i, x);
saveQueryParamValue(i, x);
}
public void setAsciiStream(int parameterIndex, InputStream x, int length)
throws SQLException {
wrappedStatement.setAsciiStream(parameterIndex, x, length);
saveQueryParamValue(parameterIndex, x);
}
public void setBigDecimal(int parameterIndex, BigDecimal x)
throws SQLException {
wrappedStatement.setBigDecimal(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setBinaryStream(int parameterIndex, InputStream x, int length)
throws SQLException {
wrappedStatement.setBinaryStream(parameterIndex, x, length);
saveQueryParamValue(parameterIndex, x);
}
public void setBlob(int i, Blob x) throws SQLException {
wrappedStatement.setBlob(i, x);
saveQueryParamValue(i, x);
}
public void setBoolean(int parameterIndex, boolean x) throws SQLException {
wrappedStatement.setBoolean(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Boolean(x));
}
public void setByte(int parameterIndex, byte x) throws SQLException {
wrappedStatement.setByte(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Byte(x));
}
public void setBytes(int parameterIndex, byte[] x) throws SQLException {
wrappedStatement.setBytes(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setCharacterStream(int parameterIndex, Reader reader, int length)
throws SQLException {
wrappedStatement.setCharacterStream(parameterIndex, reader, length);
saveQueryParamValue(parameterIndex, reader);
}
public void setClob(int i, Clob x) throws SQLException {
wrappedStatement.setClob(i, x);
saveQueryParamValue(i, x);
}
public void setDate(int parameterIndex, Date x) throws SQLException {
wrappedStatement.setDate(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setDate(int parameterIndex, Date x, Calendar cal)
throws SQLException {
wrappedStatement.setDate(parameterIndex, x, cal);
saveQueryParamValue(parameterIndex, x);
}
public void setDouble(int parameterIndex, double x) throws SQLException {
wrappedStatement.setDouble(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Double(x));
}
public void setFloat(int parameterIndex, float x) throws SQLException {
wrappedStatement.setFloat(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Float(x));
}
public void setInt(int parameterIndex, int x) throws SQLException {
wrappedStatement.setInt(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Integer(x));
}
public void setLong(int parameterIndex, long x) throws SQLException {
wrappedStatement.setLong(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Long(x));
}
public void setNull(int parameterIndex, int sqlType) throws SQLException {
wrappedStatement.setNull(parameterIndex, sqlType);
saveQueryParamValue(parameterIndex, new Integer(sqlType));
}
public void setNull(int paramIndex, int sqlType, String typeName)
throws SQLException {
wrappedStatement.setNull(paramIndex, sqlType, typeName);
saveQueryParamValue(paramIndex, new Integer(sqlType));
}
public void setObject(int parameterIndex, Object x) throws SQLException {
wrappedStatement.setObject(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setObject(int parameterIndex, Object x, int targetSqlType)
throws SQLException {
wrappedStatement.setObject(parameterIndex, x, targetSqlType);
saveQueryParamValue(parameterIndex, x);
}
public void setObject(int parameterIndex, Object x, int targetSqlType,
int scale) throws SQLException {
wrappedStatement.setObject(parameterIndex, x, targetSqlType, scale);
saveQueryParamValue(parameterIndex, x);
}
public void setRef(int i, Ref x) throws SQLException {
wrappedStatement.setRef(i, x);
saveQueryParamValue(i, x);
}
public void setShort(int parameterIndex, short x) throws SQLException {
wrappedStatement.setShort(parameterIndex, x);
saveQueryParamValue(parameterIndex, new Short(x));
}
public void setString(int parameterIndex, String x) throws SQLException {
wrappedStatement.setString(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setTime(int parameterIndex, Time x) throws SQLException {
wrappedStatement.setTime(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setTime(int parameterIndex, Time x, Calendar cal)
throws SQLException {
wrappedStatement.setTime(parameterIndex, x, cal);
saveQueryParamValue(parameterIndex, x);
}
public void setTimestamp(int parameterIndex, Timestamp x)
throws SQLException {
wrappedStatement.setTimestamp(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setTimestamp(int parameterIndex, Timestamp x, Calendar cal)
throws SQLException {
wrappedStatement.setTimestamp(parameterIndex, x, cal);
saveQueryParamValue(parameterIndex, x);
}
public void setURL(int parameterIndex, URL x) throws SQLException {
wrappedStatement.setURL(parameterIndex, x);
saveQueryParamValue(parameterIndex, x);
}
public void setUnicodeStream(int parameterIndex, InputStream x, int length)
throws SQLException {
wrappedStatement.setUnicodeStream(parameterIndex, x, length);
saveQueryParamValue(parameterIndex, x);
}
public void addBatch(String sql) throws SQLException {
wrappedStatement.addBatch(sql);
}
public void cancel() throws SQLException {
wrappedStatement.cancel();
}
public void clearBatch() throws SQLException {
wrappedStatement.clearBatch();
}
public void clearWarnings() throws SQLException {
wrappedStatement.clearWarnings();
}
public void close() throws SQLException {
wrappedStatement.close();
}
public boolean execute(String sql) throws SQLException {
return wrappedStatement.execute(sql);
}
public boolean execute(String sql, int autoGeneratedKeys)
throws SQLException {
return wrappedStatement.execute(sql, autoGeneratedKeys);
}
public boolean execute(String sql, int[] columnIndexes) throws SQLException {
return wrappedStatement.execute(sql, columnIndexes);
}
public boolean execute(String sql, String[] columnNames)
throws SQLException {
return wrappedStatement.execute(sql, columnNames);
}
public int[] executeBatch() throws SQLException {
return wrappedStatement.executeBatch();
}
public ResultSet executeQuery(String sql) throws SQLException {
return wrappedStatement.executeQuery(sql);
}
public int executeUpdate(String sql) throws SQLException {
return wrappedStatement.executeUpdate(sql);
}
public int executeUpdate(String sql, int autoGeneratedKeys)
throws SQLException {
return wrappedStatement.executeUpdate(sql, autoGeneratedKeys);
}
public int executeUpdate(String sql, int[] columnIndexes)
throws SQLException {
return wrappedStatement.executeUpdate(sql, columnIndexes);
}
public int executeUpdate(String sql, String[] columnNames)
throws SQLException {
return wrappedStatement.executeUpdate(sql, columnNames);
}
public Connection getConnection() throws SQLException {
return wrappedStatement.getConnection();
}
public int getFetchDirection() throws SQLException {
return wrappedStatement.getFetchDirection();
}
public int getFetchSize() throws SQLException {
return wrappedStatement.getFetchSize();
}
public ResultSet getGeneratedKeys() throws SQLException {
return wrappedStatement.getGeneratedKeys();
}
public int getMaxFieldSize() throws SQLException {
return wrappedStatement.getMaxFieldSize();
}
public int getMaxRows() throws SQLException {
return wrappedStatement.getMaxRows();
}
public boolean getMoreResults() throws SQLException {
return wrappedStatement.getMoreResults();
}
public boolean getMoreResults(int current) throws SQLException {
return wrappedStatement.getMoreResults(current);
}
public int getQueryTimeout() throws SQLException {
return wrappedStatement.getQueryTimeout();
}
public ResultSet getResultSet() throws SQLException {
return wrappedStatement.getResultSet();
}
public int getResultSetConcurrency() throws SQLException {
return wrappedStatement.getResultSetConcurrency();
}
public int getResultSetHoldability() throws SQLException {
return wrappedStatement.getResultSetHoldability();
}
public int getResultSetType() throws SQLException {
return wrappedStatement.getResultSetType();
}
public int getUpdateCount() throws SQLException {
return wrappedStatement.getUpdateCount();
}
public SQLWarning getWarnings() throws SQLException {
return wrappedStatement.getWarnings();
}
public void setCursorName(String name) throws SQLException {
wrappedStatement.setCursorName(name);
}
public void setEscapeProcessing(boolean enable) throws SQLException {
wrappedStatement.setEscapeProcessing(enable);
}
public void setFetchDirection(int direction) throws SQLException {
wrappedStatement.setFetchDirection(direction);
}
public void setFetchSize(int rows) throws SQLException {
wrappedStatement.setFetchSize(rows);
}
public void setMaxFieldSize(int max) throws SQLException {
wrappedStatement.setMaxFieldSize(max);
}
public void setMaxRows(int max) throws SQLException {
wrappedStatement.setMaxFieldSize(max);
}
public void setQueryTimeout(int seconds) throws SQLException {
wrappedStatement.setQueryTimeout(seconds);
}
public void setAsciiStream(int parameterIndex, InputStream x)
throws SQLException {
// TODO Auto-generated method stub
}
public void setAsciiStream(int parameterIndex, InputStream x, long length)
throws SQLException {
// TODO Auto-generated method stub
}
public void setBinaryStream(int parameterIndex, InputStream x)
throws SQLException {
// TODO Auto-generated method stub
}
public void setBinaryStream(int parameterIndex, InputStream x, long length)
throws SQLException {
// TODO Auto-generated method stub
}
public void setBlob(int parameterIndex, InputStream inputStream)
throws SQLException {
// TODO Auto-generated method stub
}
public void setBlob(int parameterIndex, InputStream inputStream, long length)
throws SQLException {
// TODO Auto-generated method stub
}
public void setCharacterStream(int parameterIndex, Reader reader)
throws SQLException {
// TODO Auto-generated method stub
}
public void setCharacterStream(int parameterIndex, Reader reader,
long length) throws SQLException {
// TODO Auto-generated method stub
}
public void setClob(int parameterIndex, Reader reader) throws SQLException {
// TODO Auto-generated method stub
}
public void setClob(int parameterIndex, Reader reader, long length)
throws SQLException {
// TODO Auto-generated method stub
}
public void setNCharacterStream(int parameterIndex, Reader value)
throws SQLException {
// TODO Auto-generated method stub
}
public void setNCharacterStream(int parameterIndex, Reader value,
long length) throws SQLException {
// TODO Auto-generated method stub
}
public void setNClob(int parameterIndex, NClob value) throws SQLException {
// TODO Auto-generated method stub
}
public void setNClob(int parameterIndex, Reader reader) throws SQLException {
// TODO Auto-generated method stub
}
public void setNClob(int parameterIndex, Reader reader, long length)
throws SQLException {
// TODO Auto-generated method stub
}
public void setNString(int parameterIndex, String value)
throws SQLException {
// TODO Auto-generated method stub
}
public void setRowId(int parameterIndex, RowId x) throws SQLException {
// TODO Auto-generated method stub
}
public void setSQLXML(int parameterIndex, SQLXML xmlObject)
throws SQLException {
// TODO Auto-generated method stub
}
public boolean isClosed() throws SQLException {
// TODO Auto-generated method stub
return false;
}
public boolean isPoolable() throws SQLException {
// TODO Auto-generated method stub
return false;
}
public void setPoolable(boolean poolable) throws SQLException {
// TODO Auto-generated method stub
}
public boolean isWrapperFor(Class> iface) throws SQLException {
// TODO Auto-generated method stub
return false;
}
public T unwrap(Class iface) throws SQLException {
// TODO Auto-generated method stub
return null;
}
}
호출 및 출력:
다음 코드 호출의 중점은 바로
ps = conn.prepareStatement(sql);
바꾸다
ps = new LoggableStatement(conn,sql);
그리고 sql에서 자리 차지 문자에 필요한 데이터를 넣고 컨트롤러를 출력하여 SQL 코드를 봅니다. 코드의 운행 효과는 이전과 같습니다. SQL 코드만 출력할 수 있습니다.
출력:
System.out.println("Executing SQL: "+((LoggableStatement)ps).getQueryString());
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
JdbcProp jp = new JdbcProp();
try{
// , sql , 。
String sql = " insert into someInfection_list (INFECTION_ID, INFECTION_CARDID, INFECTION_HOSADDRCODE, INFECTION_CARDSN, "
+" INFECTION_NAME, INFECTION_PARENTNAME, INFECTION_SEX, INFECTION_PHONE, INFECTION_IDSN, INFECTION_ORG,"
+" INFECTION_ADDR, INFECTION_ADDRCODE, INFECTION_ADDRTYPE, INFECTION_PERSONTYPE, INFECTION_TAKENDATE,"
+" INFECTION_DIAGNOSEDATE, INFECTION_DEADDATE, INFECTION_TYPE, INFECTION_DOCTOR, INFECTION_INFECTIONTYPE,"
+" infection_infectionsn, infection_zhongshendate, INFECTION_USERID, INFECTION_MEMO, INFECTION_BIRTHDAY,"
+" INFECTION_DOCTORFILLDATE , infection_oldcardid, INFECTION_CARDCREATEDDATE, infection_xianshen,"
+" infection_shishen, infection_shengshen, INFECTION_DELETEDATE, INFECTION_REPORTORG, INFECTION_ORGTYPE,"
+" INFECTION_REPAIRDATE, infection_flag, infection_datasource, infection_firstinfection) "
+" values "
+"(sys_guid(),?,?,?,?,?,?,?,?,?, " // 10
+"?,?,?,?,to_date(?,'yyyy-mm-dd hh24:mi:ss'),to_date(?,'yyyy-mm-dd hh24:mi:ss'),to_date(?,'yyyy-mm-dd hh24:mi:ss'),?,?,?, "
+"?, to_date(?,'yyyy-mm-dd hh24:mi:ss'),?,?,to_date(?,'yyyy-mm-dd hh24:mi:ss')," //25
+"to_date(?,'yyyy-mm-dd hh24:mi:ss'),?,to_date(?,'yyyy-mm-dd hh24:mi:ss'),to_date(?,'yyyy-mm-dd hh24:mi:ss'),to_date(?,'yyyy-mm-dd hh24:mi:ss'), "
+"?,to_date(?,'yyyy-mm-dd hh24:mi:ss'),?,?,to_date(?,'yyyy-mm-dd hh24:mi:ss'),?,?,?)";
conn = jp.getConn();
// ps = conn.prepareStatement(sql);
ps = new LoggableStatement(conn,sql); // 1.
ps.setString(1, paras[0]); // for PrepareStatement
...
...
System.out.println("Executing SQL: "+((LoggableStatement)ps).getQueryString()); // 2. ,
ps.executeUpdate();
} catch (SQLException e) {
e.printStackTrace();
}
다음은 나만의 코드와 효과도를 추가합니다.
/**
*
*
* @param sql sql
* @param params
* @return
* @throws SQLException
*/
public ResultSet executeQuery(String sql, Object... params) throws SQLException {
PreparedStatement pstmt = null;
ResultSet rs = null;
try {
// pstmt = conn.prepareStatement(sql);
pstmt = new LoggableStatement (conn, sql); // conn Connection
System.out.println(params.length);
System.out.println(params[1]);
for (int i = 0; i < params.length; i++) {
System.out.println(i);
pstmt.setObject(i + 1, params[i]);
}
System.out.println("Executing SQL: " + ((LoggableStatement )pstmt).getQueryString());
rs = pstmt.executeQuery();
} catch (SQLException e) {
e.printStackTrace();
throw e;
}
return rs;
}
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
다양한 언어의 JSONJSON은 Javascript 표기법을 사용하여 데이터 구조를 레이아웃하는 데이터 형식입니다. 그러나 Javascript가 코드에서 이러한 구조를 나타낼 수 있는 유일한 언어는 아닙니다. 저는 일반적으로 '객체'{}...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.