我们正在使用 Scala Play,我试图确保所有 SQL 查询都使用 Anorm 的字符串插值。它适用于某些查询,但许多查询实际上并未在执行查询之前替换变量。
import anorm.SQL
import anorm.SqlStringInterpolation
object SecureFile
{
val table = "secure_file"
val pk = "secure_file_idx"
...
// This method works exactly as I would hope
def insert(secureFile: SecureFile): Option[Long] = {
DBExec { implicit connection =>
SQL"""
INSERT INTO secure_file (
subscriber_idx,
mime_type,
file_size_bytes,
portal_msg_idx
) VALUES (
${secureFile.subscriberIdx},
${secureFile.mimeType},
${secureFile.fileSizeBytes},
${secureFile.portalMsgIdx}
)
""" executeInsert()
}
}
def delete(secureFileIdx: Long): Int = {
DBExec { implicit connection =>
// Prints correct values
println(s"table: ${table} pk: ${pk} secureFileIdx: ${secureFileIdx} ")
// Does not work
SQL"""
DELETE FROM $table WHERE ${pk} = ${secureFileIdx}
""".executeUpdate()
// Works, but unsafe
val query = s"DELETE FROM ${table} WHERE ${pk} = ${secureFileIdx}"
SQL(query).executeUpdate()
}
}
....
}
在 PostgreSQL 日志中,很明显删除语句没有获取正确的值:
2015-01-09 17:23:03 MST ERROR: syntax error at or near "$1" at character 23
2015-01-09 17:23:03 MST STATEMENT: DELETE FROM $1 WHERE $2 = $3
2015-01-09 17:23:03 MST LOG: execute S_1: ROLLBACK
我尝试了多种不同的execute、executeUpdate 和executeQuery,但结果相似。目前,我们正在使用基本的字符串替换,但这当然很糟糕,因为它没有使用PreparedStatements。
对于坐在本页上挠头并想知道他们可能错过了什么的其他人......
SQL("select * from mytable where id = $id")
不等于
SQL"select * from mytable where id = $id"
前者不进行字符串插值,而后者则进行。
这在上述文档中很容易被忽视,因为提供的所有示例恰好都有一个(不相关的)右括号(就像这句话一样)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
