OrderBy is SQL Injection safe?

174 views
Skip to first unread message

张立鑫

unread,
Nov 5, 2015, 9:16:50 PM11/5/15
to Ebean ORM
I need append OrderBy form http URI query parameter, but query.orderBy() seam like SQL Injection unsafe?

Daryl Stultz

unread,
Nov 5, 2015, 9:22:32 PM11/5/15
to eb...@googlegroups.com
On Thu, Nov 5, 2015 at 9:16 PM, 张立鑫 <intellige...@gmail.com> wrote:
I need append OrderBy form http URI query parameter, but query.orderBy() seam like SQL Injection unsafe?

Can you give an example? The strings that go in the orderBy() are path names of the object graph. You don't put "values" in there. So you might query.orderBy("customer.age") but you would not query.orderBy(ageParam) where ageParam = 7 or something.

/Daryl

张立鑫

unread,
Nov 6, 2015, 5:47:47 AM11/6/15
to Ebean ORM

orderby parser is only exist one whitespace, so this is safe.


在 2015年11月6日星期五 UTC+8上午10:22:32,Daryl Stultz写道:

张立鑫

unread,
Nov 6, 2015, 7:43:06 AM11/6/15
to Ebean ORM

eg: id/*s*/desc,(select/*1*/count(*)/*1*/from/*1*/ticket)


在 2015年11月6日星期五 UTC+8上午10:22:32,Daryl Stultz写道:

Daryl Stultz

unread,
Nov 6, 2015, 7:48:29 AM11/6/15
to eb...@googlegroups.com


On Fri, Nov 6, 2015 at 7:43 AM, 张立鑫 <intellige...@gmail.com> wrote:

eg: id/*s*/desc,(select/*1*/count(*)/*1*/from/*1*/ticket)

I'm afraid I still don't understand. I'm looking for an example of Java code possibly including entity classes.

You might be able to answer your own question by trying to put something "dangerous" in the orderBy and see what happens. One single-quote would be a good choice.

/Daryl


张立鑫

unread,
Nov 6, 2015, 8:01:02 AM11/6/15
to Ebean ORM

query.orderBy().add(new Property("id/*s*/desc,(select/*1*/count(*)/*1*/from/*1*/ticket)", true));


在 2015年11月6日星期五 UTC+8下午8:48:29,Daryl Stultz写道:

Daryl Stultz

unread,
Nov 6, 2015, 8:04:26 AM11/6/15
to eb...@googlegroups.com
On Fri, Nov 6, 2015 at 8:01 AM, 张立鑫 <intellige...@gmail.com> wrote:

query.orderBy().add(new Property("id/*s*/desc,(select/*1*/count(*)/*1*/from/*1*/ticket)", true));

I have never seen anything like that. Does it work?

/Daryl

张立鑫

unread,
Nov 6, 2015, 8:13:43 AM11/6/15
to Ebean ORM

query.orderBy("id/*s*/desc,(select/*1*/count(*)/*1*/from/*1*/ticket)")
query.orderBy().desc("(select/*1*/count(*)/*1*/from/*1*/ticket),id")// not test to me

yes,mysql translate comments(/**/) to white space, so sql is select * from ticket order by id desc, (select count(*) from ticket)

在 2015年11月6日星期五 UTC+8下午9:04:26,Daryl Stultz写道:

张立鑫

unread,
Nov 6, 2015, 8:26:10 AM11/6/15
to Ebean ORM


I create issuse on github, and fix this plan.


在 2015年11月6日星期五 UTC+8下午9:13:43,张立鑫写道:
Reply all
Reply to author
Forward
0 new messages