search

alibaba / druid

阿里云计算平台DataWorks(https://help.aliyun.com/document_detail/137663.html) 团队出品,为监控而生的数据库连接池
https://github.com/alibaba/druid/wiki
Apache License 2.0
27.97k stars 8.58k forks source link

sql injection violation, syntax error: ERROR. token : DESC, pos : 106 : #1684

Open wangshuimiao opened 7 years ago

wangshuimiao commented 7 years ago

DB2 + Druid JDK1.6 Linux环境下运行 异常堆栈如下: org.springframework.jdbc.UncategorizedSQLException: PreparedStatementCallback; uncategorized SQLException for SQL [ SELECT BANK_CODE, CONN_LOCATION_TYPE, OUTER_KEYLABEL_NAME, INNER_KEYLABEL_NAME, DESC, COMMENT, STATUS, DB_TIMESTAMP FROM EGL_SYS_KEYLABEL_CONVERT_DEF WHERE STATUS='1' ]; SQL state [null]; error code [0]; sql injection violation, syntax error: ERROR. token : DESC, pos : 106 : SELECT BANK_CODE, CONN_LOCATION_TYPE, OUTER_KEYLABEL_NAME, INNER_KEYLABEL_NAME, DESC, COMMENT, STATUS, DB_TIMESTAMP FROM EGL_SYS_KEYLABEL_CONVERT_DEF WHERE STATUS='1' ; nested exception is java.sql.SQLException: sql injection violation, syntax error: ERROR. token : DESC, pos : 106 : SELECT BANK_CODE, CONN_LOCATION_TYPE, OUTER_KEYLABEL_NAME, INNER_KEYLABEL_NAME, DESC, COMMENT, STATUS, DB_TIMESTAMP FROM EGL_SYS_KEYLABEL_CONVERT_DEF WHERE STATUS='1'

    at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:84)
    at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)
    at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)
    at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:645)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:680)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:707)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:757)
    at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.query(NamedParameterJdbcTemplate.java:192)
    at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.queryForList(NamedParameterJdbcTemplate.java:264)
    at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.queryForList(NamedParameterJdbcTemplate.java:271)
    at org.sccba.esb.dbi.foundation.automicoperation.QueryForList.call(QueryForList.java:58)
    at org.sccba.esb.dbi.foundation.automicoperation.QueryForList.call(QueryForList.java:1)
    at org.sccba.esb.dbi.foundation.DataAccessManager.dataBaseProcess(DataAccessManager.java:240)
    at org.sccba.esb.dbi.foundation.DataAccessManager.queryForList(DataAccessManager.java:356)
    at org.sccba.esb.dbi.foundation.DataAccessManager$$FastClassBySpringCGLIB$$6976e047.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:718)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:654)
    at org.sccba.esb.dbi.foundation.DataAccessManager$$EnhancerBySpringCGLIB$$2271f28f.queryForList(<generated>)
    at org.sccba.esb.dbi.tableimp.BaseDBI.loadAllData(BaseDBI.java:244)
    at org.sccba.esb.dbi.tableimp.BaseDBI.L1Retrieve(BaseDBI.java:191)
    at org.sccba.esb.dbi.tableimp.BaseDBI.L1Get(BaseDBI.java:317)
    at org.sccba.esb.dbi.tableimp.global.config.IMP_EGL_SYS_KEYLABEL_CONVERT_DEF.getInnerKeylabelNameCached(IMP_EGL_SYS_KEYLABEL_CONVERT_DEF.java:54)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
    at java.lang.reflect.Method.invoke(Method.java:611)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.cache.interceptor.CacheInterceptor$1.invoke(CacheInterceptor.java:52)
    at org.springframework.cache.interceptor.CacheAspectSupport.invokeOperation(CacheAspectSupport.java:320)
    at org.springframework.cache.interceptor.CacheAspectSupport.execute(CacheAspectSupport.java:353)
    at org.springframework.cache.interceptor.CacheAspectSupport.execute(CacheAspectSupport.java:302)
    at org.springframework.cache.interceptor.CacheInterceptor.invoke(CacheInterceptor.java:61)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
    at $Proxy17.getInnerKeylabelNameCached(Unknown Source)
    at org.sccba.esb.adapter.handler.advancedEventProces.ReqKeyinfoConvertAEP.beforeApp(ReqKeyinfoConvertAEP.java:383)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.CallAEP(AbstractBaseHandler.java:1141)
    at org.sccba.esb.adapter.handler.BaseHandler.AppProcess(BaseHandler.java:833)
    at org.sccba.esb.adapter.handler.RequesterHandler.messageProc(RequesterHandler.java:226)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.process(AbstractBaseHandler.java:572)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.executeRun(AbstractBaseHandler.java:451)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.run(AbstractBaseHandler.java:506)
    at java.lang.Thread.run(Thread.java:736)

Caused by: java.sql.SQLException: sql injection violation, syntax error: ERROR. token : DESC, pos : 106 : SELECT BANK_CODE, CONN_LOCATION_TYPE, OUTER_KEYLABEL_NAME, INNER_KEYLABEL_NAME, DESC, COMMENT, STATUS, DB_TIMESTAMP FROM EGL_SYS_KEYLABEL_CONVERT_DEF WHERE STATUS='1'

    at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:725)
    at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:253)
    at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448)
    at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:928)
    at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122)
    at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448)
    at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342)
    at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:346)
    at org.springframework.jdbc.core.PreparedStatementCreatorFactory$PreparedStatementCreatorImpl.createPreparedStatement(PreparedStatementCreatorFactory.java:238)
    at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:623)
    ... 47 more

Caused by: com.alibaba.druid.sql.parser.ParserException: ERROR. token : DESC, pos : 106 at com.alibaba.druid.sql.parser.SQLExprParser.primary(SQLExprParser.java:600) at com.alibaba.druid.sql.parser.SQLExprParser.expr(SQLExprParser.java:85) at com.alibaba.druid.sql.parser.SQLExprParser.parseSelectItem(SQLExprParser.java:2166) at com.alibaba.druid.sql.parser.SQLSelectParser.parseSelectList(SQLSelectParser.java:373) at com.alibaba.druid.sql.dialect.db2.parser.DB2SelectParser.query(DB2SelectParser.java:73) at com.alibaba.druid.sql.parser.SQLSelectParser.select(SQLSelectParser.java:59) at com.alibaba.druid.sql.parser.SQLStatementParser.parseSelect(SQLStatementParser.java:1831) at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:114) at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:79) at com.alibaba.druid.wall.WallProvider.checkInternal(WallProvider.java:620) at com.alibaba.druid.wall.WallProvider.check(WallProvider.java:574) at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:712) ... 56 more

    at org.sccba.esb.dbi.foundation.DataAccessManager.ProcessDBException(DataAccessManager.java:174)
    at org.sccba.esb.dbi.foundation.DataAccessManager.dataBaseProcess(DataAccessManager.java:325)
    at org.sccba.esb.dbi.foundation.DataAccessManager.queryForList(DataAccessManager.java:356)
    at org.sccba.esb.dbi.foundation.DataAccessManager$$FastClassBySpringCGLIB$$6976e047.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:718)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:654)
    at org.sccba.esb.dbi.foundation.DataAccessManager$$EnhancerBySpringCGLIB$$2271f28f.queryForList(<generated>)
    at org.sccba.esb.dbi.tableimp.BaseDBI.loadAllData(BaseDBI.java:244)
    at org.sccba.esb.dbi.tableimp.BaseDBI.L1Retrieve(BaseDBI.java:191)
    at org.sccba.esb.dbi.tableimp.BaseDBI.L1Get(BaseDBI.java:317)
    at org.sccba.esb.dbi.tableimp.global.config.IMP_EGL_SYS_KEYLABEL_CONVERT_DEF.getInnerKeylabelNameCached(IMP_EGL_SYS_KEYLABEL_CONVERT_DEF.java:54)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
    at java.lang.reflect.Method.invoke(Method.java:611)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.cache.interceptor.CacheInterceptor$1.invoke(CacheInterceptor.java:52)
    at org.springframework.cache.interceptor.CacheAspectSupport.invokeOperation(CacheAspectSupport.java:320)
    at org.springframework.cache.interceptor.CacheAspectSupport.execute(CacheAspectSupport.java:353)
    at org.springframework.cache.interceptor.CacheAspectSupport.execute(CacheAspectSupport.java:302)
    at org.springframework.cache.interceptor.CacheInterceptor.invoke(CacheInterceptor.java:61)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
    at $Proxy17.getInnerKeylabelNameCached(Unknown Source)
    at org.sccba.esb.adapter.handler.advancedEventProces.ReqKeyinfoConvertAEP.beforeApp(ReqKeyinfoConvertAEP.java:383)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.CallAEP(AbstractBaseHandler.java:1141)
    at org.sccba.esb.adapter.handler.BaseHandler.AppProcess(BaseHandler.java:833)
    at org.sccba.esb.adapter.handler.RequesterHandler.messageProc(RequesterHandler.java:226)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.process(AbstractBaseHandler.java:572)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.executeRun(AbstractBaseHandler.java:451)
    at org.sccba.esb.adapter.handler.AbstractBaseHandler.run(AbstractBaseHandler.java:506)
    at java.lang.Thread.run(Thread.java:736)
wenshao commented 7 years ago

desc是关键字,你这个是什么类型数据库?是mysql还是Oracle?支持desc作为字段名?

wangshuimiao commented 7 years ago

是DB2

wangshuimiao commented 7 years ago

把数据库关键字作为字段名,有什么处理方法吗?

wenshao commented 7 years ago

我加上特别支持吧,尽量在这个周末发布新版本

wangshuimiao commented 7 years ago

好的 谢谢老师