當我們在項目中使用了druid連接配接池進行資料源的管理,并且配置了如下監控
spring.datasource.filters: stat,wall,log4j
在執行程式拼接的SQL時,xml中使用的是${sql}進行執行的,這種方式會報如下錯誤:
2018-07-08 15:09:04.826 [http-nio-7073-exec-1] ERROR o.a.c.c.C.[.[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.jdbc.UncategorizedSQLException:
### Error updating database. Cause: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
### SQL: COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
### Cause: java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'
; uncategorized SQLException for SQL []; SQL state [null]; error code [0]; sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN IS '規則執行'; nested exception is java.sql.SQLException: sql injection violation, class com.alibaba.druid.sql.ast.statement.SQLCommentStatement not allow : COMMENT ON TABLE RULE_EXECUTE_PLAN_201808 IS '規則執行計劃'] with root cause
這個錯誤告訴你,這種方式會造成SQL注入,當你又不得不用這種方式時,最簡單粗暴的方式就是将配置的wall去掉。