Problem Ibatis and SqlIjection with Fotify
I have a problem. For first I have this code:
update $table$ set expanded = #expanded# where name = #identificativo#
My problem is the Fortify tool, because, 开发者_StackOverflow社区it says that I have to use # and not $. But, if I use #table# or #table[]# , the point of my application where I use this id, doesn't start.
I don't know the Fortify tool, but I know that in this case it is wrong. Using $table$ is an acceptable way of modifying SQL using iBATIS, i.e. the replacement value will get replaced in the actual SQL generated rather than added as a parameter.
As far as I know this is the only way of using dynamic table names.
Edit: Just checked the Fortify tool and found this. What they are worried about is SQL injection. Read the page for more information.
What you need to do is just make sure that the value that is getting passed in by the code as the "table" parameter does not come from the user, i.e. any user of the system would not be able to modify the table parameter at all.
精彩评论