prevent sql injection attack in dynamic query grails

StackOverflow https://stackoverflow.com/questions/23217182

  •  07-07-2023
  •  | 
  •  

Frage

I have query as:

def selectQuery="select ins"
        def fromQuery = " from InstitutionStudent ins"
        def whereQuery = " where ins.institution=:inst"
        def compareQuery = [inst:inst]

and other query as:

if(params.pAddress!=""){
   whereQuery += " and ins.address='" + address + "'"

   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address='"+address+"'"
    ,[inst:inst])
 }

which results for advance search query as

def allQuery = selectQuery+fromQuery+whereQuery       
def finalQuery = InstitutionStudent.executeQuery
             (allQuery.toString(),compareQuery)

but there is possibility of injection attack so to prevent it how to pass parameterized query to this query?

War es hilfreich?

Lösung

You could use usual named parameters:

if(params.pAddress!=""){
   whereQuery += " and ins.address= :address"
   compareQuery.address = address
   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address=:address"
    ,[inst:inst, address:address])
 }
Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top