更新时间:2022-01-14 00:11:36
这是一个错误的警报,您正在按照正确的方式进行操作.
This is a false alarm, you're doing it the right way.
有一些框架可以帮助您解决这个问题(例如Spring的NamedParameterJdbcTemplate
,但它们基本上是在后台做同样的事情.
There are frameworks that can help you with this (e.g. Spring's NamedParameterJdbcTemplate
, but they basically do the same thing under the hood.
静态分析器可能正在通过连接字符串来捕获正在构建查询的事实,或者某种程度上涉及到输入的大小,并将其标记为危险(仅在此处猜测).
The static analyzer is probably catching the fact you're building your query by concatenating strings, or that the size of input is somehow involved, and flagging it as a danger (only guessing here).
另一方面,与SQL注入无关的潜在问题是,您只能使用特定数量(取决于数据库)的那些参数-AFAIK在Oracle中限制为1000,而在Teradata中限制为2000,确定别人.如果需要在该IN
子句中放置许多值,则需要使用其他方法,例如使用临时表或小批量执行查询并将结果合并到Java中.
On a side note, a potential problem that however has nothing to do with SQL injection is that you can only use certain number (DB-dependent) of those parameters - AFAIK the limit's 1000 in Oracle, about 2000 in Teradata, not sure about others. If you need to put many values in that IN
clause, you'll need to use a different approach like using a temporary table or performing the query in smaller batches and merging the results in Java.