0
我正在使用Groovy SQL執行一個查詢,該查詢將一些JSON添加到Postgres JSONB數據庫中的數組中。在Groovy SQL中使用參數的正確方法
當我運行下面的代碼時,我得到一個關於SQL注入的警告,我得到的警告如下。
In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there.
我也救不了JSON在我的數據庫,如果有我的JSON一'字,我得到下面的錯誤:
Sql failed to process query unterminated ' character
@Override
Operation save(Player player) {
String json = objectMapper.writeValueAsString(player)
Blocking.get {
sql.executeUpdate("""
UPDATE site_content
SET content = jsonb_set(content, '{playersContainer,players}'::text[], content->'playersContainer'->'players' || '${json}'::jsonb)
where id = :id
""",id: player.teamId)
}.operation()
}
我已經改變了代碼這
@Override
Operation save(Player player) {
String json = objectMapper.writeValueAsString(player)
Blocking.get {
sql.executeUpdate("""
UPDATE site_content
SET content = jsonb_set(content, '{playersContainer,players}'::text[], content->'playersContainer'->'players' || ':json'::jsonb)
where id = :id
""", json: json, id: player.teamId)
}.operation()
}
但我得到的錯誤
Detail: Expected JSON value, but found ":". Position: 167
什麼是將動態參數放入我的Groovy SQL查詢的正確方法?當我將它發送到查詢時,是否必須編碼JSON?在我從我的React應用程序發送它之前,我做JSON.stringfy(json)是不夠的?