Automatic prevention of SQL Injection for Ibatis

Assume that the user executes
 
Select * from product where id = 5
 
This statement. 5 of them are user input.
 
The meaning of SQL injection is that some users do not enter 5,
 
 
 
5; delete from orders
 
 
 
Then the original SQL statement will become,
 
 
Select * from product where id = 5; delete from orders
.
 
After the select statement is executed, all records in the orders table will be deleted. (If he only deleted these records, he could have done more terrible things ).
 
 
 
Fortunately, Ibatis uses the PreparedStatement
S ).
 
The preceding statement will be compiled,
 
 
Select * from product where id =?
 
This effectively prevents SQL injection.
 
 
 
But pay attention to it when you use the $ placeholder.
 
For example, dynamic selection of columns and tables
 
 
SELECT * FROM $ TABLE_NAME $ WHERE $ COLUMN_NAME $ = # value #
 
At this time, you must carefully filter those values to avoid SQL injection. Of course, this situation exists not only in Ibatis.
 
 
 
References:
 
[IBATIS in Action] 3.5.2 SQL injection