SQL injection violation, multi statement not allow final solution

Keywords: Programming Druid MySQL SQL SpringBoot

Solutions:

1. The code reports an error. The operation causing the exception is batch update. The definition of the Bean is related to Druid as follows:

<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
    <property name="driverClassName" value="${db.driverClassName}"/>
    <property name="url" value="${db.url}"/>
    <property name="username" value="${db.username}"/>
    <property name="password" value="${db.passwrod}"/>
    <property name="initialSize" value="3"/>
    <property name="minIdle" value="3"/>
    <property name="maxActive" value="20"/>
    <property name="maxWait" value="60000"/>
    <property name="filters" value="stat,wall"/>
</bean>

<bean id="stat-filter" class="com.alibaba.druid.filter.stat.StatFilter">
    <property name="slowSqlMillis" value="30000"/>
    <property name="logSlowSql" value="true"/>
    <property name="mergeSql" value="true"/>
</bean>

<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
     <property name="dbType" value="mysql"/>
</bean>

2. Browse the first blog, oh, it's undefined, WallConfig, and allowMultiQueries=true, then add. (you should be able to solve this problem if you use SpringBoot. (pure speculation)

<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
    <property name="dbType" value="mysql"/>
    <property name="config" ref="wall-config"/>
</bean>

<bean id="wall-config" class="com.alibaba.druid.wall.WallConfig">
    <!-- batch sql -->
    <property name="multiStatementAllow" value="true"/>
</bean>

3. Then continue to report errors. After reading N blogs, we find that the second blog and the third blog have similarities and differences. Both of them have set a property called proxyFilters. In fact, the second blog covers the original proxyFilters in Druid. After research, the filters (stat,wall) in datasource are not actually beans defined by ourselves (in fact, they are still their own frames) It is generated by default. This default generation is obtained from proxyFilters, so the multiStatementAllow we set has no egg use. In combination with the third chapter, we injected our own stat and wall into proxyFilters.

<property name="filters" value="stat,wall"/>
<!-- druid -->
<bean id="stat-filter" class="com.alibaba.druid.filter.stat.StatFilter">
    <property name="slowSqlMillis" value="30000"/>
    <property name="logSlowSql" value="true"/>
    <property name="mergeSql" value="true"/>
</bean>

<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
    <property name="dbType" value="mysql"/>
    <property name="config" ref="wall-config"/>
</bean>

<bean id="wall-config" class="com.alibaba.druid.wall.WallConfig">
    <!-- batch sql -->
    <property name="multiStatementAllow" value="true"/>
</bean>

4. The final Druid related configuration (proxyFilters must be placed on the filters. If there is no proxyFilters during the initialization of filters, the default will be generated by itself, which will cause our proxyFilters injection failure. Please refer to the second blog):

<!-- druid -->
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
   <property name="driverClassName" value="${db.driverClassName}"/>
   <property name="url" value="${db.url}"/>
   <property name="username" value="${db.username}"/>
   <property name="password" value="${db.passwrod}"/>
   <property name="initialSize" value="3"/>
   <property name="minIdle" value="3"/>
   <property name="maxActive" value="20"/>
   <property name="maxWait" value="60000"/>
   <property name="proxyFilters">
       <list>
           <ref bean="stat-filter"/>
           <ref bean="wall-filter"/>
       </list>
   </property>
   <property name="filters" value="stat,wall,slf4j"/>
</bean>

<bean id="stat-filter" class="com.alibaba.druid.filter.stat.StatFilter">
   <property name="slowSqlMillis" value="30000"/>
   <property name="logSlowSql" value="true"/>
   <property name="mergeSql" value="true"/>
</bean>

<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
   <property name="dbType" value="mysql"/>
   <property name="config" ref="wall-config"/>
</bean>

<bean id="wall-config" class="com.alibaba.druid.wall.WallConfig">
    <!-- batch sql -->
    <property name="multiStatementAllow" value="true"/>
</bean>

5. Finally, don't forget: allowMultiQueries=true

Posted by pakmannen on Wed, 20 Nov 2019 06:28:59 -0800