search
HomeJavajavaTutorialHow to prevent sql injection in Mybatis in JAVA
How to prevent sql injection in Mybatis in JAVAJun 30, 2017 am 10:50 AM
javamybatismethod

This article introduces to you the relevant information of Mybatis to prevent sql injection through examples. It is very good and has reference value. Friends in need can refer to it.

SQL injection is familiar to everyone and is a common method. The attack method is that the attacker enters some strange SQL fragments in the form information or URL of the interface, such as statements such as "or '1'='1'", which may invade applications with insufficient parameter verification. Therefore, we need to do some work in our applications to prevent such attacks. In some security applications, such as banking software, it is often used to replace all sql statements with stored procedures to prevent sql injection. This is of course a It's a very safe method, but in our daily development, we may not need this rigid method.

mybatisFrameworkAs a semi-automated persistence layer framework, we have to manually write its SQL statements ourselves. Of course, we need to prevent SQL injection at this time. In fact, Mybatis's sql is a structure with "input + output" function, similar to function, as follows:

<select id="getBlogById" resultType="Blog" parameterType=”int”>
  select id,title,author,content
  from blog where id=#{id}
 </select>

Here, parameterType indicates the input parameter type, and resultType indicates the output parameter type. Parameter Type. In response to the above, if we want to prevent sql injection, it is natural for us to work hard on input parameters. The highlighted part in the above code is the part where the input parameters are spliced ​​in sql. After passing in the parameters, print out the executed sql statement. You will see that the sql looks like this:

select id,title,author,content from blog where id = ?

No matter what parameters are input, the printed SQL is like this. This is because mybatis has enabled the pre-compilation function. Before the sql is executed, the above sql will be sent to the database for compilation. During execution, the compiled sql will be used directly and the placeholder "?" will be replaced. Because sql injection can only affect the compilation process, this method can effectively avoid the problem of sql injection.

How does mybatis achieve sql pre-compilation? In fact, at the bottom of the framework, the PreparedStatement class in jdbc is at work. PreparedStatement is a subclass of Statement that we are very familiar with. Its object contains compiled sql statements. This "ready" approach not only improves security, but also improves efficiency when executing a SQL multiple times. The reason is that the SQL has been compiled and does not need to be compiled again when executed again.

Having said that, can we definitely prevent SQL injection by using mybatis? Of course not, please look at the following code:

<select id="orderBlog" resultType="Blog" parameterType=”map”>
  select id,title,author,content
  from blog order by ${orderParam}
 </select>

Look carefully, the format of the inline parameter has changed from "#{xxx}" to ${xxx}. If we assign the value of "id" to the parameter "orderParam" and print out the sql, it will look like this:

select id,title,author,content from blog order by id

Obviously, this is the case There is no way to prevent sql injection. In mybatis, parameters in the format of "${xxx}" will directly participate in SQL compilation, so injection attacks cannot be avoided. But when it comes to dynamic table names and column names, only parameter formats such as "${xxx}" can be used. Therefore, such parameters need to be processed manually in the code to prevent injection.

Conclusion: When writing the mapping statement of mybatis, try to use the format of "#{xxx}". If you have to use parameters such as "${xxx}", you must manually filter them to prevent SQL injection attacks.

The above is the detailed content of How to prevent sql injection in Mybatis in JAVA. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Java之Mybatis的二级缓存怎么使用Java之Mybatis的二级缓存怎么使用May 24, 2023 pm 06:16 PM

缓存的概述和分类概述缓存就是一块内存空间.保存临时数据为什么使用缓存将数据源(数据库或者文件)中的数据读取出来存放到缓存中,再次获取的时候,直接从缓存中获取,可以减少和数据库交互的次数,这样可以提升程序的性能!缓存的适用情况适用于缓存的:经常查询但不经常修改的(eg:省市,类别数据),数据的正确与否对最终结果影响不大的不适用缓存的:经常改变的数据,敏感数据(例如:股市的牌价,银行的汇率,银行卡里面的钱)等等MyBatis缓存类别一级缓存:它是sqlSession对象的缓存,自带的(不需要配置)不

mybatis分页的几种方式mybatis分页的几种方式Jan 04, 2023 pm 04:23 PM

mybatis分页的方式:1、借助数组进行分页,首先查询出全部数据,然后再list中截取需要的部分。2、借助Sql语句进行分页,在sql语句后面添加limit分页语句即可。3、利用拦截器分页,通过拦截器给sql语句末尾加上limit语句来分页查询。4、利用RowBounds实现分页,需要一次获取所有符合条件的数据,然后在内存中对大数据进行操作即可实现分页效果。

怎么使用springboot+mybatis拦截器实现水平分表怎么使用springboot+mybatis拦截器实现水平分表May 14, 2023 pm 06:43 PM

MyBatis允许使用插件来拦截的方法Executor(update,query,flushStatements,commit,rollback,getTransaction,close,isClosed)ParameterHandler(getParameterObject,setParameters)ResultSetHandler(handleResultSets,handleOutputParameters)StatementHandler(prepare,parameterize,ba

怎么用springboot+mybatis plus实现树形结构查询怎么用springboot+mybatis plus实现树形结构查询May 21, 2023 pm 05:01 PM

背景实际开发过程中经常需要查询节点树,根据指定节点获取子节点列表,以下记录了获取节点树的操作,以备不时之需。使用场景可以用于系统部门组织机构、商品分类、城市关系等带有层级关系的数据结构;设计思路递归模型即根节点、枝干节点、叶子节点,数据模型如下:idcodenameparent_code110000电脑0220000手机0310001联想笔记本10000410002惠普笔记本1000051000101联想拯救者1000161000102联想小新系列10001实现代码表结构CREATETABLE`

springboot配置mybatis的sql执行超时时间怎么解决springboot配置mybatis的sql执行超时时间怎么解决May 15, 2023 pm 06:10 PM

当某些sql因为不知名原因堵塞时,为了不影响后台服务运行,想要给sql增加执行时间限制,超时后就抛异常,保证后台线程不会因为sql堵塞而堵塞。一、yml全局配置单数据源可以,多数据源时会失效二、java配置类配置成功抛出超时异常。importcom.alibaba.druid.pool.DruidDataSource;importcom.alibaba.druid.spring.boot.autoconfigure.DruidDataSourceBuilder;importorg.apache.

springboot怎么整合mybatis分页拦截器springboot怎么整合mybatis分页拦截器May 13, 2023 pm 04:31 PM

简介今天开发时想将自己写好的代码拿来优化,因为不想在开发服弄,怕搞坏了到时候GIT到生产服一大堆问题,然后把它分离到我轮子(工具)项目上,最后运行后发现我获取List的时候很卡至少10秒,我惊了平时也就我的正常版本是800ms左右(不要看它很久,因为数据量很大,也很正常。),前提是我也知道很慢,就等的确需要优化时,我在放出我优化的plus版本,回到10秒哪里,最开始我刚刚接到这个app项目时,在我用PageHelper.startPage(page,num);(分页),还没等查到的数据封装(Pa

Java Mybatis一级缓存和二级缓存是什么Java Mybatis一级缓存和二级缓存是什么Apr 25, 2023 pm 02:10 PM

一、什么是缓存缓存是内存当中一块存储数据的区域,目的是提高查询效率。MyBatis会将查询结果存储在缓存当中,当下次执行相同的SQL时不访问数据库,而是直接从缓存中获取结果,从而减少服务器的压力。什么是缓存?存在于内存中的一块数据。缓存有什么作用?减少程序和数据库的交互,提高查询效率,降低服务器和数据库的压力。什么样的数据使用缓存?经常查询但不常改变的,改变后对结果影响不大的数据。MyBatis缓存分为哪几类?一级缓存和二级缓存如何判断两次Sql是相同的?查询的Sql语句相同传递的参数值相同对结

PageHelper在springboot+mybatis框架中如何使用PageHelper在springboot+mybatis框架中如何使用May 12, 2023 pm 03:55 PM

一、思路将分页所需的内容都放到一个实体类中分页数据所需要的实体类!内包含页码,页大小,总条数,总页数,起始行pagehelpr提供了这个类pageInfo,不需要我们自己创建二、主要逻辑select*from表名limit起始行,展示几条数据#第n页每页展示五条数据select*from表名limit(n-1)*5,5#每页展示多少条pageSize3#总共有多少条totalselectcount(*)from表名#总页数pagespages=total%pagesSize==0?total/p

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!