更新时间:2023-09-07 09:39:40
.save()
是安全的,只有使用本机查询时才容易受到攻击.
.save()
is safe, only the usage of native queries is vulnerable.
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
如果使用参数,也可以保护本机查询.
You can safe native queries also, if you use parameter.
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();