エラー:org.springframework.jdbc.BadSqlGrammarException:StatementCallback;不正なSQL文法Java Spring MVC
Java Spring MVCを使用してWebアプリケーションを作成しようとしています。このWebは主にCRUD関数(作成、読み取り、更新、削除)を実行します)。
最近、私はこのエラーを受け取りました:
HTTP Status 500 - Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select * from assignment where username=reza]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
これは私のDAOファイルです。
@Override
public List < Assignment > showAllAssignment(String username) {
String sql = "select * from assignment where username=" + username;
return jdbcTemplate.query(sql, new AssignmentMapper());
}
これは私のコントローラーです
@RequestMapping(value = "/showAllAssignment/{reqUserName}/show", method = RequestMethod.GET)
public ModelAndView showAllAssignment(@PathVariable("reqUserName") String reqUserName) {
List < Assignment > list = new ArrayList < Assignment > ();
list = assignmentService.showAllAssignment(reqUserName);
ModelAndView mav = new ModelAndView("show_All_Assignments");
mav.addObject("assignment", list);
return mav;
}
私が得たさらなるエラー:
2018-05-03 01:55:08,232 [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver]-[DEBUG] Resolving exception from handler [public org.springframework.web.servlet.ModelAndView org.assignment.controller.AssignmentController.showAllAssignment(Java.lang.String)]: org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select * from assignment where username=reza]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
2018-05-03 01:55:08,234 [org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver]-[DEBUG] Resolving exception from handler [public org.springframework.web.servlet.ModelAndView org.assignment.controller.AssignmentController.showAllAssignment(Java.lang.String)]: org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select * from assignment where username=reza]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
2018-05-03 01:55:08,234 [org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver]-[DEBUG] Resolving exception from handler [public org.springframework.web.servlet.ModelAndView org.assignment.controller.AssignmentController.showAllAssignment(Java.lang.String)]: org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select * from assignment where username=reza]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
2018-05-03 01:55:08,235 [org.springframework.web.servlet.DispatcherServlet]-[DEBUG] Could not complete request
org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select * from assignment where username=reza]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.Java:235)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.Java:72)
at org.springframework.jdbc.core.JdbcTemplate.translateException(JdbcTemplate.Java:1402)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.Java:388)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.Java:446)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.Java:456)
at org.assignment.dao.AssignmentDaoImpl.showAllAssignment(AssignmentDaoImpl.Java:67)
at org.assignment.service.AssignmentServiceImpl.showAllAssignment(AssignmentServiceImpl.Java:39)
at org.assignment.controller.AssignmentController.showAllAssignment(AssignmentController.Java:193)
at Sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at Sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.Java:62)
at Sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.Java:43)
at Java.lang.reflect.Method.invoke(Method.Java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.Java:209)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.Java:136)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.Java:102)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.Java:870)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.Java:776)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.Java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.Java:991)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.Java:925)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.Java:978)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.Java:870)
at javax.servlet.http.HttpServlet.service(HttpServlet.Java:622)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.Java:855)
at javax.servlet.http.HttpServlet.service(HttpServlet.Java:729)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:292)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:207)
at org.Apache.Tomcat.websocket.server.WsFilter.doFilter(WsFilter.Java:52)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:240)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:207)
at org.Apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.Java:212)
at org.Apache.catalina.core.StandardContextValve.invoke(StandardContextValve.Java:94)
at org.Apache.catalina.core.StandardHostValve.invoke(StandardHostValve.Java:141)
at org.Apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.Java:79)
at org.Apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.Java:620)
at org.Apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.Java:88)
at org.Apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.Java:502)
at org.Apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.Java:1132)
at org.Apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.Java:684)
at org.Apache.Tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.Java:1539)
at org.Apache.Tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.Java:1495)
at Java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.Java:1149)
at Java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.Java:624)
at org.Apache.Tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.Java:61)
at Java.lang.Thread.run(Thread.Java:748)
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'reza' in 'where clause'
at Sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at Sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.Java:62)
at Sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.Java:45)
at Java.lang.reflect.Constructor.newInstance(Constructor.Java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.Java:389)
at com.mysql.jdbc.Util.getInstance(Util.Java:372)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.Java:980)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.Java:3835)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.Java:3771)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.Java:2435)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.Java:2582)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.Java:2531)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.Java:2489)
at com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.Java:1446)
at org.springframework.jdbc.core.JdbcTemplate$1QueryStatementCallback.doInStatement(JdbcTemplate.Java:433)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.Java:376)
... 42 more
問題は、ユーザー名が定義されているテーブル割り当て内のデータを選択したいことです。
たとえば、String username1 = 'reza';しかし、上記の構文を使用してすべてのデータを表示しようとすると、select * .... where username="+username1;結果として、システムは「reza」を列の値としてではなく、列として読み取ります。
誰でも私がこの問題を解決するのを助けることができますか?
エラーが示唆したように、指定したSQLクエリは適切なSQLではありませんでした:
String sql = "select * from assignment where username='"+username+"';";
の代わりに String sql = "select * from assignment where username="+username;
私は同じ問題を抱えていますが、gradleファイルを正しく機能させる依存関係の1つをコメント化してコメントを外すことで解決しました。
ユーザー名にクエリパラメータを使用して、正しく引用符で囲み、SQLをエスケープする必要があります。ユーザー名が完全に制御できない外部ソース(UIなど)からのものである場合、連結はSQLインジェクションのエントリポイントになる可能性があり、失敗します。発信者が正しくエスケープしない場合、最初のユーザー名には単一引用符が含まれます。