New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Online 存在SQL注入问题 #3075
Comments
收录 ty |
请问一下,这个注入,无非是让查询条件失效,能查询到所有数据,还能做什么其他功能? |
查询条件失效,就会有越权,照成完全风险! 另外jeecg采用druid连接池,druid本身有一定sql注入控制,但像这种SQL还是存在风险,其他情况暂时未测试出来! |
已修复,online查询条件不会直接拼接sql语句了,已改成预编译。 |
2.*.*版本应该怎么修复这个漏洞 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
版本号:
2.4.6
问题描述:
Online表单查询存在SQL注入风险
截图&代码:
注入内容
' or 0<>(select count(*) from demo) or name <> '
友情提示(为了提高issue处理效率):
The text was updated successfully, but these errors were encountered: