prevent sql injection attack in dynamic query grails

StackOverflow https://stackoverflow.com/questions/23217182

  •  07-07-2023
  •  | 
  •  

Question

I have query as:

def selectQuery="select ins"
        def fromQuery = " from InstitutionStudent ins"
        def whereQuery = " where ins.institution=:inst"
        def compareQuery = [inst:inst]

and other query as:

if(params.pAddress!=""){
   whereQuery += " and ins.address='" + address + "'"

   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address='"+address+"'"
    ,[inst:inst])
 }

which results for advance search query as

def allQuery = selectQuery+fromQuery+whereQuery       
def finalQuery = InstitutionStudent.executeQuery
             (allQuery.toString(),compareQuery)

but there is possibility of injection attack so to prevent it how to pass parameterized query to this query?

Was it helpful?

Solution

You could use usual named parameters:

if(params.pAddress!=""){
   whereQuery += " and ins.address= :address"
   compareQuery.address = address
   def check=InstitutionStudent.executeQuery
   ("SELECT ins FROM InstitutionStudent ins 
     WHERE ins.institution=:inst and ins.address=:address"
    ,[inst:inst, address:address])
 }
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top