Prevent SQL injection for GetUserList.getUserList.

This commit is contained in:
Yanbo Liang 2017-07-12 15:25:05 +08:00
parent 985b86e4d2
commit d1a7ff9be8

View file

@ -231,7 +231,7 @@ public class GetUserList {
return userlist;
}
userquery = "select " + username + " from " + tablename;
userquery = "select ? from ?";
} catch (IllegalAccessException e) {
LOG.error("Error while accessing dataSource for JDBC Realm", e);
@ -241,6 +241,8 @@ public class GetUserList {
try {
Connection con = dataSource.getConnection();
ps = con.prepareStatement(userquery);
ps.setString(1, username);
ps.setString(2, tablename);
rs = ps.executeQuery();
while (rs.next()) {
userlist.add(rs.getString(1).trim());