Home > Back-end >  javax.persistence.EntityManager SQL INJECTION
javax.persistence.EntityManager SQL INJECTION

Time:11-18

In this method you have seen, I receive data from procedures in oracle database according to pincode or voen.

@Override
public List<BaseClass> getCustomerInfo(String pinCode, String voen) throws SQLException, JsonProcessingException {
    List<BaseClass> customerInfos = new ArrayList<>();
    Query q = em.createNativeQuery("select CUST_INFO_COURT.GET_CUSTOMER_INFO('"   pinCode   "','"   voen   "') from dual");
    List objectArray = q.getResultList();
    for (Object object : objectArray) {
        if (object != null) {
            Clob clob = (Clob) object;
            String arrayJsonData = clob.getSubString(1, (int) clob.length());

            final ObjectMapper objectMapper = new ObjectMapper();

            CustomerInfo[] langs = objectMapper.readValue(arrayJsonData, CustomerInfo[].class);
            List<CustomerInfo> langList = new ArrayList(Arrays.asList(langs));

            for (CustomerInfo customerInfo : langList) {

                customerInfos.add(customerInfo);

            }
            return customerInfos;
        }
    }
    return new ArrayList<>();
}

But there is a problem. The problem is that I can receive data in accordance with the pin code, but when I search as voen, I cannot get the values. When I search according to the pin code, my query works like this.

Hibernate: 
    select
        CUST_INFO_COURT.GET_CUSTOMER_INFO('',
        'null') 
    from
        dual

and data in the output like this:

[
  {
    "full_name": "",
    "doc_sr": "",
    "doc_id": "",
    "customer_id": ,
    "pin_code": "",
    "voen": "",
    "position": null
  }
]

When I search according to voene, it does the same thing.

Hibernate: 
    select
        CUST_INFO_COURT.GET_CUSTOMER_INFO('null',
        '') 
    from
        dual

and data in the output like this:

[]

There is a problem that I thought is SQL INJECTION. I'm considering sending parameters that way using the setParameter() method, but I don't know how to apply that to this code.

CodePudding user response:

You cans use parameters like this:

 Query q = em.createNativeQuery(
        "select CUST_INFO_COURT.GET_CUSTOMER_INFO(?,?) from dual");
 q.setParameter(1, pinCode);
 q.setParameter(2, voen);
  • Related