admin管理员组文章数量:1599768
1.异常现象
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow
nested exception is java.sql.SQLException: sql injection violation, part alway true condition not allow : SELECT
id
... 省略 ...
, is_deleted
, date_format(create_time, '%Y-%m-%d %H:%i:%s') create_time
, create_user
, date_format(update_time, '%Y-%m-%d %H:%i:%s') update_time
, update_user
FROM
t_table_name
WHERE
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
ORDER BY id ASC
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:84) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.mybatis.spring.MyBatisExceptionTranslator.translateExceptionIfPossible(MyBatisExceptionTranslator.java:71) ~[mybatis-spring-1.2.0.jar:1.2.0]
at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:364) ~[mybatis-spring-1.2.0.jar:1.2.0]
at com.sun.proxy.$Proxy37.selectList(Unknown Source) ~[?:?]
at org.mybatis.spring.SqlSessionTemplate.selectList(SqlSessionTemplate.java:194) ~[mybatis-spring-1.2.0.jar:1.2.0]
at org.apache.ibatis.binding.MapperMethod.executeForMany(MapperMethod.java:122) ~[mybatis-3.3.1.jar:3.3.1]
at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:64) ~[mybatis-3.3.1.jar:3.3.1]
at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:53) ~[mybatis-3.3.1.jar:3.3.1]
at com.sun.proxy.$Proxy93.queryDepartmentUserList(Unknown Source) ~[?:?]
at ......
at ......
at ......
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_79]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [?:1.7.0_79]
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : SELECT
2.排查分析
用的是 Mybatis 框架,一直报如上错误。翻译一下为:sql 注入问题,部分条件一直为 true,这种情况不被允许。
所以需要再认真检查一下 SQL 脚本。原来,是自己不小心在 WHERE 条件中重复置入了 1 = 1 这样的永真条件。
3.解决方案
当删除了 OR 1 = 1 之后,就正常了。因为这里违反了 SQL禁止永真条件 规则。
本文标签: 异常sqlInjectionmysqlSQLException
版权声明:本文标题:MySQL异常 #SQLException: sql injection violation, part alway true condition not allow 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/xitong/1728324737a1154288.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论