1.异常现象
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow
nested exception is java.sql.SQLException: sql injection violation, part alway true condition not allow : SELECT
id
... 省略 ...
, is_deleted
, date_format(create_time, '%Y-%m-%d %H:%i:%s') create_time
, create_user
, date_format(update_time, '%Y-%m-%d %H:%i:%s') update_time
, update_user
FROM
t_table_name
WHERE
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
OR
1 = 1
AND provence_id = ?
AND user_id = ?
ORDER BY id ASC
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:84) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81) ~[spring-jdbc-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.mybatis.spring.MyBatisExceptionTranslator.translateExceptionIfPossible(MyBatisExceptionTranslator.java:71) ~[mybatis-spring-1.2.0.jar:1.2.0]
at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:364) ~[mybatis-spring-1.2.0.jar:1.2.0]
at com.sun.proxy.$Proxy37.selectList(Unknown Source) ~[?:?]
at org.mybatis.spring.SqlSessionTemplate.selectList(SqlSessionTemplate.java:194) ~[mybatis-spring-1.2.0.jar:1.2.0]
at org.apache.ibatis.binding.MapperMethod.executeForMany(MapperMethod.java:122) ~[mybatis-3.3.1.jar:3.3.1]
at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:64) ~[mybatis-3.3.1.jar:3.3.1]
at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:53) ~[mybatis-3.3.1.jar:3.3.1]
at com.sun.proxy.$Proxy93.queryDepartmentUserList(Unknown Source) ~[?:?]
at ......
at ......
at ......
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_79]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [?:1.7.0_79]
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : SELECT
2.排查分析
用的是 Mybatis 框架,一直报如上错误。翻译一下为:sql 注入问题,部分条件一直为 true,这种情况不被允许。
所以需要再认真检查一下 SQL 脚本。原来,是自己不小心在 WHERE 条件中重复置入了 1 = 1 这样的永真条件。
3.解决方案
当删除了 OR 1 = 1 之后,就正常了。因为这里违反了 SQL禁止永真条件 规则。
————————————————
版权声明:本文为CSDN博主「有时有味」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/itanping/article/details/103140558