This article introduces to you the relevant information of Mybatis to prevent sql injection through examples. It is very good and has reference value. Friends in need can refer to it.
SQL injection is familiar to everyone and is a common method. The attack method is that the attacker enters some strange SQL fragments in the form information or URL of the interface, such as statements such as "or '1'='1'", which may invade applications with insufficient parameter verification. Therefore, we need to do some work in our applications to prevent such attacks. In some security applications, such as banking software, it is often used to replace all sql statements with stored procedures to prevent sql injection. This is of course a It's a very safe method, but in our daily development, we may not need this rigid method.
mybatisFrameworkAs a semi-automated persistence layer framework, we have to manually write its SQL statements ourselves. Of course, we need to prevent SQL injection at this time. In fact, Mybatis's sql is a structure with "input + output" function, similar to function, as follows:
<select id="getBlogById" resultType="Blog" parameterType=”int”>
select id,title,author,content
from blog where id=#{id}
</select>Here, parameterType marks the input The parameter type, resultType indicates the output parameter type. In response to the above, if we want to prevent sql injection, it is natural for us to work hard on input parameters. The highlighted part in the above code is the part where the input parameters are spliced in sql. After passing in the parameters, print out the executed sql statement, and you will see that the sql looks like this:
select id,title,author,content from blog where id = ?
No matter what parameters are entered, the sql printed out will be like this. This is because mybatis has enabled the pre-compilation function. Before the sql is executed, the above sql will be sent to the database for compilation. During execution, the compiled sql will be used directly and the placeholder "?" will be replaced. Because sql injection can only affect the compilation process, this method can effectively avoid the problem of sql injection.
How does mybatis achieve sql pre-compilation? In fact, at the bottom of the framework, the PreparedStatement class in jdbc is at work. PreparedStatement is a subclass of Statement that we are very familiar with. Its object contains compiled sql statements. This "ready" approach not only improves security, but also improves efficiency when executing a SQL multiple times. The reason is that the SQL has been compiled and does not need to be compiled again when executed again.
Having said that, can we definitely prevent SQL injection by using mybatis? Of course not, please look at the following code:
<select id="orderBlog" resultType="Blog" parameterType=”map”>
select id,title,author,content
from blog order by ${orderParam}
</select>Look carefully, the format of the inline parameter has changed from "#{xxx}" to ${xxx}. If we assign the value of "id" to the parameter "orderParam" and print out the sql, it will look like this:
select id,title,author,content from blog order by id
Obviously, this is the case There is no way to prevent sql injection. In mybatis, parameters in the format of "${xxx}" will directly participate in SQL compilation, so injection attacks cannot be avoided. But when it comes to dynamic table names and column names, only parameter formats such as "${xxx}" can be used. Therefore, such parameters need to be processed manually in the code to prevent injection.
Conclusion: When writing the mapping statement of mybatis, try to use the format of "#{xxx}". If you have to use parameters such as "${xxx}", you must manually filter them to prevent SQL injection attacks.
The above is the detailed content of Code examples on how Mybatis prevents SQL injection. For more information, please follow other related articles on the PHP Chinese website!
Java之Mybatis的二级缓存怎么使用May 24, 2023 pm 06:16 PM缓存的概述和分类概述缓存就是一块内存空间.保存临时数据为什么使用缓存将数据源(数据库或者文件)中的数据读取出来存放到缓存中,再次获取的时候,直接从缓存中获取,可以减少和数据库交互的次数,这样可以提升程序的性能!缓存的适用情况适用于缓存的:经常查询但不经常修改的(eg:省市,类别数据),数据的正确与否对最终结果影响不大的不适用缓存的:经常改变的数据,敏感数据(例如:股市的牌价,银行的汇率,银行卡里面的钱)等等MyBatis缓存类别一级缓存:它是sqlSession对象的缓存,自带的(不需要配置)不
怎么使用springboot+mybatis拦截器实现水平分表May 14, 2023 pm 06:43 PMMyBatis允许使用插件来拦截的方法Executor(update,query,flushStatements,commit,rollback,getTransaction,close,isClosed)ParameterHandler(getParameterObject,setParameters)ResultSetHandler(handleResultSets,handleOutputParameters)StatementHandler(prepare,parameterize,ba
mybatis分页的几种方式Jan 04, 2023 pm 04:23 PMmybatis分页的方式:1、借助数组进行分页,首先查询出全部数据,然后再list中截取需要的部分。2、借助Sql语句进行分页,在sql语句后面添加limit分页语句即可。3、利用拦截器分页,通过拦截器给sql语句末尾加上limit语句来分页查询。4、利用RowBounds实现分页,需要一次获取所有符合条件的数据,然后在内存中对大数据进行操作即可实现分页效果。
springboot怎么整合mybatis分页拦截器May 13, 2023 pm 04:31 PM简介今天开发时想将自己写好的代码拿来优化,因为不想在开发服弄,怕搞坏了到时候GIT到生产服一大堆问题,然后把它分离到我轮子(工具)项目上,最后运行后发现我获取List的时候很卡至少10秒,我惊了平时也就我的正常版本是800ms左右(不要看它很久,因为数据量很大,也很正常。),前提是我也知道很慢,就等的确需要优化时,我在放出我优化的plus版本,回到10秒哪里,最开始我刚刚接到这个app项目时,在我用PageHelper.startPage(page,num);(分页),还没等查到的数据封装(Pa
springboot配置mybatis的sql执行超时时间怎么解决May 15, 2023 pm 06:10 PM当某些sql因为不知名原因堵塞时,为了不影响后台服务运行,想要给sql增加执行时间限制,超时后就抛异常,保证后台线程不会因为sql堵塞而堵塞。一、yml全局配置单数据源可以,多数据源时会失效二、java配置类配置成功抛出超时异常。importcom.alibaba.druid.pool.DruidDataSource;importcom.alibaba.druid.spring.boot.autoconfigure.DruidDataSourceBuilder;importorg.apache.
mybatis怎么调用mysql存储过程并获取返回值May 27, 2023 am 09:01 AMmybatis调用mysql存储过程并获取返回值1、mysql创建存储过程#结束符号默认;,delimiter$$语句表示结束符号变更为$$delimiter$$CREATEPROCEDURE`demo`(INinStrVARCHAR(100),outourStrVARCHAR(4000))BEGINSETourStr='01';if(inStr=='02')thensetourStr='02';en
Java Mybatis一级缓存和二级缓存是什么Apr 25, 2023 pm 02:10 PM一、什么是缓存缓存是内存当中一块存储数据的区域,目的是提高查询效率。MyBatis会将查询结果存储在缓存当中,当下次执行相同的SQL时不访问数据库,而是直接从缓存中获取结果,从而减少服务器的压力。什么是缓存?存在于内存中的一块数据。缓存有什么作用?减少程序和数据库的交互,提高查询效率,降低服务器和数据库的压力。什么样的数据使用缓存?经常查询但不常改变的,改变后对结果影响不大的数据。MyBatis缓存分为哪几类?一级缓存和二级缓存如何判断两次Sql是相同的?查询的Sql语句相同传递的参数值相同对结
SpringBoot怎么打印mybatis的执行sql问题May 15, 2023 pm 10:55 PMSpringBoot打印mybatis的执行sql1、使用场景应为在开发过程之中跟踪后端SQL语句,因什么原因导致的错误。需要在Debug过程之中打印出执行的SQL语句。所以需要配置一下SpringBoot之中,Mybatis打印SQL语句。2、具体实现application.properties(yml)中配置的两种方式:1.logging.level.dao包名(daopackage)=debug2.mybatis.configuration.log-impl=org.apache.ibat
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
SublimeText3 English version
Recommended: Win version, supports code prompts!
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
SublimeText3 Linux new version
SublimeText3 Linux latest version
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
