Open 250846434 opened 3 years ago
附 MysqlDataSource 测试文件
import com.alibaba.druid.util.JdbcUtils;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.mysql.cj.jdbc.MysqlDataSource;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.List;
import java.util.Map;
/**
* @author lichen
* @email 250846434@qq.com
* @date 2021/9/1 14:08
*/
@Slf4j
public class ConnTest {
private static DataSource ds;
public static void main(String[] args) throws SQLException {
ds = getDataSource();
List<Map<String, Object>> a = executeQuery("select * from demo where name like \"%\"?\"%\"", "1");
}
//
private static DataSource getDataSource() {
MysqlDataSource ds = new MysqlDataSource();
ds.setUrl("jdbc:mysql://127.0.0.1:3306/demo?allowMultiQueries=true&useUnicode=true&useSSL=false&serverTimezone=GMT%2B8&autoReconnect=true&characterEncoding=UTF-8&rewriteBatchedStatements=true");
ds.setUser();
ds.setPassword();
return ds;
}
@SneakyThrows
public static List<Map<String, Object>> executeQuery(String sql, Object... params) {
List<Map<String, Object>> result = Lists.newArrayList();
Connection conn = ds.getConnection();
PreparedStatement ps = conn.prepareStatement(sql);
for (int i = 0; i < params.length; i++) {
ps.setObject(i + 1, params[i]);
}
ResultSet rs = ps.executeQuery();
ResultSetMetaData metaData = rs.getMetaData(); //获得列的结果
while (rs.next()) {
Map<String, Object> map = Maps.newHashMap();
for (int i = 0; i < metaData.getColumnCount(); i++) {
String key = metaData.getColumnName(i + 1);
Object value = rs.getObject(i + 1);
map.put(key, value);
}
result.add(map);
}
JdbcUtils.close(rs);
JdbcUtils.close(ps);
JdbcUtils.close(conn);
return result;
}
}
1.测试版本: 1.1.21/1.2,6均出现该问题 2.出错sql :select from demo where name like "%"?"%" 出错位置: ps = conn.prepareStatement(sql); 经测试 :MysqlDataSource 的 ps = conn.prepareStatement(sql); 无该问题. 3.异常信息: ```java.sql.SQLException: sql injection violation, dbType mysql, , druid-version 1.2.5, syntax error: syntax error, error in :'name like "%"?"%", pos 54, line 1, column 54, token ? : select from demo d where d.name like "%"?"%"
4:附录,在使用wallFilter时,其解析也会出错.类似于以下报错:
sql injection violation, syntax error: syntax error, error in :'code like "%"?"%" ', expect QUES, actual QUES pos 232, line 9, column 43, token QUES```报错位置存在于以下位置:
com.alibaba.druid.sql.parser.ParserException: syntax error, error in :'code like "%"?"%" ', expect QUES, actual QUES pos 232, line 9, column 43, token QUES at com.alibaba.druid.sql.parser.SQLParser.printError(SQLParser.java:344) at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:532) at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:182) at com.alibaba.druid.wall.WallProvider.checkInternal(WallProvider.java:624) at com.alibaba.druid.wall.WallProvider.check(WallProvider.java:578)