Recently using the Druid Connection pool, and also configuring the Web and spring related monitoring, detected that the select * from tables param like #{param1} "%" statement was intercepted. Take a note.
There are two ways to resolve this:
One, select * from tables param like concat (${param1}, "%").
Second, when the parameters of the dynamic splicing param1=param1+ "%";
SELECT * from tables param like #{param1}.
MYBATIS3 prevent SQL injection {XXX}, using PreparedStatement, there will be type conversion, so more secure; ${xxx}, using string concatenation, can be SQL injection;
Like query accidentally will have a leak, the correct wording is as follows:
Mysql:select * from tables where param like concat ('% ', #{param1}, '% ')
Oracle:select * from T_user where param like '% ' | | #{param1} | | ‘%’
Sqlserver:select * from T_user where param like '% ' + #{param1} + '% '
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Configuring SQL injection problems found with the Druid connection pool