HP Fortify在我的完美Java PrepareStatement代码上标记了SQL注入(请参见下文)。经过研究,我仍然无法弄清楚。请帮忙!
public class Temp {
private Connection dbConnection;
private final String SELECT_ROW_FROM_TEST_TABLE_SQL = "select * from TEST_TABLE where advertisementID = ? and itemID = ?;";
public Temp(Connection dbConnection) {
this.dbConnection = dbConnection;
}
public boolean checkIfRowExists(String advID, String itemID, String HQ_ID) throws Exception {
boolean exists = false;
try ( PreparedStatement statement = dbConnection.prepareStatement(SELECT_ROW_FROM_TEST_TABLE_SQL)) {
statement.setString(1, advID);
statement.setString(2, itemID);
try (ResultSet resultSet = statement.executeQuery()) {
if (resultSet.next()) {
exists = true;
}
}
} catch (SQLException e) {
throw new Exception(String.format("Error executing sql statement: %s", SELECT_ROW_FROM_TEST_TABLE_SQL), e);
}
}
}
我在此代码中也看不到任何SQL注入。如果您有可重现的测试用例,我将在Fortify上记录下来。
关于此的其他一些无关的注释(我意识到这并不意味着要成为生产代码):