druid报异常 “sql injection violation, part alway true condition not allow”的解决方案

使用durid连接池组件,执行sql时发现异常如下:

Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : select t.id,t.name ,from sys_testt where (t.tid = 'sys' or ''='sys') and (t.tname like '%%' or ''='')
	at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:714)
	at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:240)
	at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448)
	at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:928)
	at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122)
	at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448)
	at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342)
	at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:318)
	at sun.reflect.GeneratedMethodAccessor26.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.jfinal.plugin.activerecord.SqlReporter.invoke(SqlReporter.java:72)
	at $Proxy5.prepareStatement(Unknown Source)
	at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:334)
	at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:349)
	... 43 more

 解决方案:

参数filters: 属性类型是字符串,通过别名的方式配置扩展插件,常用的插件有:
监控统计用的filter:stat 日志用的filter:log4j 防御sql注入的filter:wall。

把 filters配置中 去掉 wall即可。

druid详细参数配置地址:https://github.com/alibaba/druid/wiki/DruidDataSource%E9%85%8D%E7%BD%AE%E5%B1%9E%E6%80%A7%E5%88%97%E8%A1%A8

 

posted @ 2015-07-23 14:29 java_lover 阅读(...) 评论(...) 编辑 收藏