使用durid連接池組件,執行sql時發現異常如下:
Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : select t.id,t.name ,from sys_testt where (t.tid = 'sys' or ''='sys') and (t.tname like '%%' or ''='') at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:714) at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:240) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448) at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:928) at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:448) at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342) at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:318) at sun.reflect.GeneratedMethodAccessor26.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.jfinal.plugin.activerecord.SqlReporter.invoke(SqlReporter.java:72) at $Proxy5.prepareStatement(Unknown Source) at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:334) at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:349) ... 43 more
解決方案:
參數filters: 屬性類型是字符串,通過別名的方式配置擴展插件,常用的插件有:
監控統計用的filter:stat 日志用的filter:log4j 防御sql注入的filter:wall。
把 filters配置中 去掉 wall即可。
druid詳細參數配置地址:https://github.com/alibaba/druid/wiki/DruidDataSource%E9%85%8D%E7%BD%AE%E5%B1%9E%E6%80%A7%E5%88%97%E8%A1%A8