I have a search table, where the user can filter the results with a filter of type:
- [name], value [john], remove rule
- area [nickname], value [blake], remove rule
- Add rule
- fields [children], value [yes], remove rule < Li> add rule
then the user can set an arbitrary filter Which will inevitably result in a fully dynamic WHERE clause. In the future, I will have to apply more complicated logical expressions, like
where (name = John or name = nick) and (alias = black or nickname = bourne),
all Whether 10 fields can not be filtered by the user or not, I do not know how many filters the user will filter and which filters. Therefore, I can not use the prepared statement (which believes at least we know the field in the block). This is the reason that the prepared statement is unfortunately out of the question, I have to do it with plain old, generated SQL.
What can I do to remedy the application of SQL injection (REEGX-wise or any other way)?
Java, unchecked.
list & lt; String & gt; Clause = New Arrestist & lt; String & gt; (); & Lt; String & gt; Binds = New Arrestist & lt; String & gt; (); If (request.name! = Null) {binds.add (request.name); Clauses.add ("NAME =?"); } If (request.city! = Null) {binds.add (request.city); Clauses.add ("city =?"); } ... string where clause = ""; (String clause: clause) {if (whereClause.length ()> gt; {whereClause = whereClause + "and"; } Where = where clause + clause; } String sql = "select- where from table" + is where; Created place ps = con.prepareStatment (sql); Int col = 1; (String bind: binds) {ps.setString (col ++, bind); } Results set rs = ps.executeQuery (); 
Comments
Post a Comment