使用Mybatis插入数据时,由于粗心书写错误导致出现Cause: java.sql.SQLException: sql injection violation异常,SQL语句如下:

<insert id="insertProduct"parameterType="com.isoftstone.product.entity.ProductBean">insert into mmall_product(<include refid="baseInsertSql"/>)values (#{productId}, #{categoryId}, #{productName}, ${subtitle},#{mainImage}, #{subImages}, #{detail}, #{productPrice},#{stock}, #{status},<choose><when test="createTime != null">#{createTime},</when><otherwise>now(),</otherwise></choose><choose><when test="updateTime != null">#{updateTime}</when><otherwise>now()</otherwise></choose>)</insert>

异常详细堆栈信息如下:

org.springframework.jdbc.UncategorizedSQLException:
### Error updating database.  Cause: java.sql.SQLException: sql injection violation, syntax error: syntax error. pos 237, line 9, column 26, token IDENTIFIER phone : insert into mmall_product(id, category_id, name, subtitle, main_image, sub_images,detail, price, stock, status, create_time, update_time)values (?, ?, ?, hello phone,?, ?, ?, ?,?, ?,now(),now())
### SQL: insert into mmall_product         (                   id, category_id, name, subtitle, main_image, sub_images,         detail, price, stock, status, create_time, update_time               )         values (           ?, ?, ?, hello phone,           ?, ?, ?, ?,           ?, ?,                               now(),                                               now()                         )
### Cause: java.sql.SQLException: sql injection violation, syntax error: syntax error. pos 237, line 9, column 26, token IDENTIFIER phone : insert into mmall_product(id, category_id, name, subtitle, main_image, sub_images,detail, price, stock, status, create_time, update_time)values (?, ?, ?, hello phone,?, ?, ?, ?,?, ?,now(),now())
; uncategorized SQLException; SQL state [null]; error code [0]; sql injection violation, syntax error: syntax error. pos 237, line 9, column 26, token IDENTIFIER phone : insert into mmall_product(id, category_id, name, subtitle, main_image, sub_images,detail, price, stock, status, create_time, update_time)values (?, ?, ?, hello phone,?, ?, ?, ?,?, ?,now(),now()); nested exception is java.sql.SQLException: sql injection violation, syntax error: syntax error. pos 237, line 9, column 26, token IDENTIFIER phone : insert into mmall_product(id, category_id, name, subtitle, main_image, sub_images,detail, price, stock, status, create_time, update_time)values (?, ?, ?, hello phone,?, ?, ?, ?,?, ?,now(),now())at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:89)at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)at org.mybatis.spring.MyBatisExceptionTranslator.translateExceptionIfPossible(MyBatisExceptionTranslator.java:73)at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:446)at com.sun.proxy.$Proxy87.insert(Unknown Source)at org.mybatis.spring.SqlSessionTemplate.insert(SqlSessionTemplate.java:278)at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:58)at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:59)at com.sun.proxy.$Proxy97.insertProduct(Unknown Source)at com.isoftstone.product.mapper.ProductMapperTest.insertProduct(ProductMapperTest.java:26)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:74)at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:84)at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)at org.junit.runners.ParentRunner.run(ParentRunner.java:363)at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)at org.junit.runner.JUnitCore.run(JUnitCore.java:137)at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: java.sql.SQLException: sql injection violation, syntax error: syntax error. pos 237, line 9, column 26, token IDENTIFIER phone : insert into mmall_product(id, category_id, name, subtitle, main_image, sub_images,detail, price, stock, status, create_time, update_time)values (?, ?, ?, hello phone,?, ?, ?, ?,?, ?,now(),now())at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:798)at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:251)at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:929)at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122)at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342)at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:349)at org.apache.ibatis.executor.statement.PreparedStatementHandler.instantiateStatement(PreparedStatementHandler.java:87)at org.apache.ibatis.executor.statement.BaseStatementHandler.prepare(BaseStatementHandler.java:88)at org.apache.ibatis.executor.statement.RoutingStatementHandler.prepare(RoutingStatementHandler.java:59)at org.apache.ibatis.executor.SimpleExecutor.prepareStatement(SimpleExecutor.java:85)at org.apache.ibatis.executor.SimpleExecutor.doUpdate(SimpleExecutor.java:49)at org.apache.ibatis.executor.BaseExecutor.update(BaseExecutor.java:117)at org.apache.ibatis.executor.CachingExecutor.update(CachingExecutor.java:76)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)at org.apache.ibatis.plugin.Plugin.invoke(Plugin.java:63)at com.sun.proxy.$Proxy100.update(Unknown Source)at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:198)at org.apache.ibatis.session.defaults.DefaultSqlSession.insert(DefaultSqlSession.java:185)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:433)... 36 more
Caused by: com.alibaba.druid.sql.parser.ParserException: syntax error. pos 237, line 9, column 26, token IDENTIFIER phoneat com.alibaba.druid.sql.parser.SQLStatementParser.parseValueClause(SQLStatementParser.java:3323)at com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser.parseInsert(MySqlStatementParser.java:2553)at com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser.parseInsert(MySqlStatementParser.java:47)at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:167)at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:83)at com.alibaba.druid.wall.WallProvider.checkInternal(WallProvider.java:624)at com.alibaba.druid.wall.WallProvider.check(WallProvider.java:578)at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:785)... 63 more

分析:从错误信息来看是由于SQL语句有注入问题导致SQL解析失败。而导致该问题的罪魁祸首是使用了#{}和${}进行混合取值,通常情况下都是建议使用#{}进行取值,而不推荐使用${}进行取值,${}符号取值容易导致SQL注入,而在我的SQL语句中会发现我不小心将一个属性的取值使用了${}而导致SQL解析错误。

解决方案:将语句中的${}改为#{}。最终的SQL语句:

 <insert id="insertProduct"parameterType="com.isoftstone.product.entity.ProductBean">insert into mmall_product(<include refid="baseInsertSql"/>)values (#{productId}, #{categoryId}, #{productName}, #{subtitle},#{mainImage}, #{subImages}, #{detail}, #{productPrice},#{stock}, #{status},<choose><when test="createTime != null">#{createTime},</when><otherwise>now(),</otherwise></choose><choose><when test="updateTime != null">#{updateTime}</when><otherwise>now()</otherwise></choose>)</insert>

使用Mybatis时由于粗心遇到Cause: java.sql.SQLException: sql injection violation异常相关推荐

  1. mybatis项目报java.sql.SQLException: Numeric Overflow的异常

    转载自:http://www.easytd.com/yichangjijin/d_1411081846.html 项目报java.sql.SQLException: Numeric Overflow的 ...

  2. Oracle Caused by: java.sql.SQLException: sql injection violation, syntax error: syntax error, expect

    参考:https://blog.csdn.net/qq_36326332/article/details/102938147 https://blog.csdn.net/fly_captain/art ...

  3. Cause: java.sql.SQLException: SQL String cannot be empty 解决方案

    异常信息: Cause: java.sql.SQLException: SQL String cannot be empty 产生原因: 在批量进行SQL更新(或插入)时,有的时候会报错,有的时候不会 ...

  4. 解决 Error querying database. Cause: java.sql.SQLException: sql injection violation....

    解决 Error querying database. Cause: java.sql.SQLException: sql injection violation- 最近在开发的时候老板的需求就是将模 ...

  5. java todo error_java.sql.SQLException: sql injection violation, syntax error: TODO UNIQUE unique

    @wenshao 你好,想跟你请教个问题: 我是在用activiti工作流的时候  初始化生成流程表产生了下面的问题 工作流引擎代码: ProcessEngineConfiguration confi ...

  6. java.sql.SQLException: sql injection violation, part alway true condition not allow

    这是我在思考调试sql注入出现的小bug 打印出来的SQL语句放在数据库执行 select id,name,age,phone from yu_student where phone = '123' ...

  7. MySql java.sql.SQLException: sql injection violation, part alway false condition not allow异常简单处理方式

    在sql语法正常下 进行拼接sql语句时出现类似"1=1"等代码前面出现 and 或 or 时会被认为是sql注入 解决方案 一. 使用表名点字段名 members.name 二. ...

  8. java.sql.SQLException: sql injection violation, multi-statement not allow

    sql涉及到批量操作,开发环境正常执行,测试环境报错 sql injection violation, multi-statement not allow : update eqc_area_cust ...

  9. java.sql.SQLException: sql injection violation, part alway false condition not allow

    错误截图: 百度解释是防止sql注入,百度有的说是去掉druid里面filters里面的wall可以解决问题.但本人觉得这个方案有点难以接受.经测试发现如下原因会触发该bug: 截图sql: 在我的代 ...

最新文章

  1. Django 视图函数
  2. JS动态生成的元素,其对应的方法不响应(比如单击事件,鼠标移动事件等)...
  3. 继承SectionIndexer,实现联系人侧边栏
  4. 20080826 - Delphi 2009 来了
  5. oracle+restore+pfile,RAC(11gR2) OCR BACKUP RESTORE
  6. LeetCode Algorithm 572. 另一棵树的子树
  7. Leet Code OJ 217. Contains Duplicate [Difficulty: Easy]
  8. STD中string的常用方法总结
  9. C语言union关键字
  10. 计算机网络(十三)-数据链路层-动态分配信道
  11. ios开发 循环引用 检测_iOS开发——Block引起循环引用的解决方案
  12. linux 修改时间 date
  13. 树分解 tree decomposition
  14. 大数据技术原理与应用——林子雨老师MOOC知识点一
  15. Logstash详解之——input模块
  16. android read_phone_state 代码,android - 用户10102和当前进程都没有android.permission.READ_PHONE_STATE - 堆栈内存溢出...
  17. Elasticsearch 的 Task 停止方法
  18. 美国入境前的EVUS登记图文指南
  19. 音频怎么转换文件格式?教你轻松转换
  20. python安装和学习-最后推荐winpython

热门文章

  1. C++中的几个输入函数:cin,cin.get(),getline(),cin.getline() 的区别
  2. 【UOS操作系统】dd刻录镜像
  3. 可用的 office2010下载
  4. python扩展库xlwt支持对excel_Python扩展库xlwt支持对Excel2003或更低版本的Excel文件进行写操作。...
  5. 2013年将成为传统店铺的末日?
  6. Sublime Text 3安装及常用插件安装
  7. 通达OA用户操作手册(二)
  8. 多线程 爬取 趣图网
  9. 一步一步教你制作销售业绩分析报告
  10. 大商超,小便利,商盟卡统统都能刷