开发者

Problem Ibatis and SqlIjection with Fotify

I have a problem. For first I have this code:

update $table$ set expanded = #expanded# where name = #identificativo#

My problem is the Fortify tool, because, 开发者_StackOverflow社区it says that I have to use # and not $. But, if I use #table# or #table[]# , the point of my application where I use this id, doesn't start.


I don't know the Fortify tool, but I know that in this case it is wrong. Using $table$ is an acceptable way of modifying SQL using iBATIS, i.e. the replacement value will get replaced in the actual SQL generated rather than added as a parameter.

As far as I know this is the only way of using dynamic table names.

Edit: Just checked the Fortify tool and found this. What they are worried about is SQL injection. Read the page for more information.

What you need to do is just make sure that the value that is getting passed in by the code as the "table" parameter does not come from the user, i.e. any user of the system would not be able to modify the table parameter at all.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜