Sinanysl
Reputation: 9
Jira groovy script error
I'm getting groovy records from SQL Table or Function. Example;
String subeKodu = get_sube_kodu_bul(matcher[0][1])
private String get_sube_kodu_bul(String subeAdi) {
def sql = Sql.newInstance("jdbc:jtds:sqlserver://10.xx.xx.xx:1433/DBNAME", "usrname","pass", "net.sourceforge.jtds.jdbc.Driver")
subeAdi = subeAdi.trim()
def row = sql.firstRow("SELECT TOP 1 SUBE_KODU FROM TABLENAME WHERE SUBE_ADI= '${subeAdi}'")
row != null ? (String)row.SUBE_KODU : ''
}
But I am faced with the following error;
WARNING: In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there. The expression so far is: SELECT TOP 1 YETKILI FROM TABLENAME WHERE SUBE_ADI = '?'
Upvotes: 0
Views: 866
Answers (1)
Scott Dudley
Reputation: 3298
Groovy is complaining that your code may be vulnerable to a SQL injection attack.
The proper way to do this is with JDBC Prepared Statements. In Groovy, you do this as follows:
sql.firstRow("SELECT TOP 1 SUBE_KODU FROM TABLENAME WHERE SUBE_ADI= ?", [subeAdi])
For more examples of this, see the Groovy SQL tutorial and search for "prepared statements".
Also, don't forget to call close() when you are done.
Upvotes: 5
Related Questions
- issue while using groovy script in Jenkins
- Undeclared variable when it is global
- Cannot find matching method - JIRA/Groovy
- Jira Groovy script in script runner
- No such property error for String in Groovy
- Script Runner Error 'Failed type checking'
- Groovy exception
- JIRA Log work with groovy script issue
- groovy script Error
- Groovy code throwing error on jenkins