mercredi 31 décembre 2014

sql injection using the the value of a parameter as its name


Vote count:

0




Can i be victim of sql injection attack if I use the the value of parameter as its name ?



for(String tag : choixalerte.selectedNomExestingtags)
where += " ach.NOM_ACHTEUR LIKE :"+tag+" or ao.OBJET LIKE :"+tag+" or lot.INTITULE LIKE :"+tag+ "";

...

Query native_query = entityManager.createNativeQuery(...);

if( choixalerte.selectedNomExestingtags != null )
for(String tag : choixalerte.selectedNomExestingtags)
native_query.setParameter(tag, "%"+tag+"%");


asked 1 min ago







sql injection using the the value of a parameter as its name

Aucun commentaire:

Enregistrer un commentaire