使用durid连接池组件,执行sql时发现异常如下:
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : select t.id,t.name ,from sys_testt where (t.tid = 'sys' or ''='sys') and (t.tname like '%%' or ''='') at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:714) at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:240) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448) at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:928) at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448) at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342) at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:318) at sun.reflect.GeneratedMethodAccessor26.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.jfinal.plugin.activerecord.SqlReporter.invoke(SqlReporter.java:72) at $Proxy5.prepareStatement(Unknown Source) at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:334) at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:349) ... 43 more
解决方案:
参数filters: 属性类型是字符串,通过别名的方式配置扩展插件,常用的插件有:
监控统计用的filter:stat
日志用的filter:log4j
防御sql注入的filter:wall。
把 filters配置中 去掉 wall即可。
druid详细参数配置地址:https://github.com/alibaba/druid/wiki/DruidDataSource%E9%85%8D%E7%BD%AE%E5%B1%9E%E6%80%A7%E5%88%97%E8%A1%A8