prevent sql injection attack in dynamic query grails

StackOverflow https://stackoverflow.com/questions/23217182

  •  07-07-2023
  •  | 
  •  

I have query as:

def selectQuery="select ins"
        def fromQuery = " from InstitutionStudent ins"
        def whereQuery = " where ins.institution=:inst"
        def compareQuery = [inst:inst]

and other query as:

if(params.pAddress!=""){
   whereQuery += " and ins.address='" + address + "'"

   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address='"+address+"'"
    ,[inst:inst])
 }

which results for advance search query as

def allQuery = selectQuery+fromQuery+whereQuery       
def finalQuery = InstitutionStudent.executeQuery
             (allQuery.toString(),compareQuery)

but there is possibility of injection attack so to prevent it how to pass parameterized query to this query?

有帮助吗?

解决方案

You could use usual named parameters:

if(params.pAddress!=""){
   whereQuery += " and ins.address= :address"
   compareQuery.address = address
   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address=:address"
    ,[inst:inst, address:address])
 }
许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top