请教一下这个sql注入的问题
项目漏洞扫描指出这一行有sql注入的风险,请教一下如何修改
public String executeProcedure(String processName,String batchId,String zipFileName) {
String procedure = "{call " + processName + "(?,?,?,?)}";
Connection conn=null;
try {
Class.forName(driver).newInstance();
conn = DriverManager.getConnection(url, userName, passWord);
String storedProc = procedure;// 调用的sql
CallableStatement cs = conn.prepareCall(storedProc); //sql注入的风险
cs.setString(1, batchId);
cs.setString(2, zipFileName);
cs.execute();
int insertCount = cs.getInt(3);
int updateCount = cs.getInt(4);
String returnValue = insertCount + "," + updateCount;
return returnValue;// 获取输出参数的值
} catch (Exception e) {
e.printStackTrace();
return "-1";
}finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException sqlex) {
System.err.println(SqlFileExecutor.class.getName()
+ ".mymethod - 不能关闭数据库连接: " + sqlex.toString());
}
}
}
}
prepareStatment
不要使用字符串拼接的方式组装sqlString procedure = "{call " + processName + "(?,?,?,?)}";
什么年代了 为啥还用这个
为什么不在xml里面写sql