Home > Others

On the difference between # and $ in MyBatis and the methods to prevent SQL injection _java

Source: Internet
Author: User
Tags sql injection
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The difference between # and $ in the MyBatis

1. #将传入的数据都当成一个字符串, a double quotation mark is added to the data that is automatically passed in. For example: ORDER by #user_id #, if the value passed in is 111, then the value that is parsed into SQL will be "111", and if the value passed is an ID, the SQL that is parsed is the order by "id".
  
2. $ to display incoming data directly in SQL. For example, the order by $user _id$, if the value passed in is 111, then the value that is parsed into SQL is user_id, and if the value passed in is an ID, the parsed SQL is the order by ID.
  
3. #方式能够很大程度防止sql注入.
  
The 4.$ method does not prevent SQL injection.


5.$ methods are typically used to pass in database objects, such as incoming table names.
  
6. The general can use the # is not to use $.

Prevent SQL injection

NOTE: SQL statements are not written as SELECT * from T_stu where s_name like '% $name $% ', which is extremely susceptible to injection attacks.

Parameters in the format "${xxx}" are directly involved in SQL compilation, thus preventing injection attacks. However, when it comes to dynamic table names and column names, you can only use parameter formats such as "${xxx}".

When writing a mybatis mapping statement, try to use the format "#{xxx}" as much as possible. If you have to use parameters such as "${xxx}", do the filtering work manually to prevent SQL injection attacks.

Example

<sql id= "Condition_where" >  
  <isnotempty property= "CompanyName" prepend= "and" >  
    t1.company_name Like #companyName #  
  </isNotEmpty>

Java code is similar to your original, in fact, there is no bad, you have to feel the trouble to judge null and '% ' encapsulated in a method can be

if (! Stringutil.isempty (This.companyname)) {  
  table.setcompanyname ("%" + this.companyname + "%");

The above is a small series for everyone to talk about the difference between the # and $ in MyBatis and the method of preventing SQL injection all content, I hope that we support cloud Habitat Community ~

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
what is sql injection and how to prevent difference between public and private methods difference between and in perl difference between null and not null in sql difference between sql 2005 and sql 2008 difference between constant and variable in math difference between exec and system in perl

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More