How does mybatis prevent SQL injection?

SQL injection occurs at the time that SQL injection occurs during the SQL precompilation phase, when the compiled SQL does not produce SQL injection

When using JDBC to manipulate data

String sql = "Update ft_proposal Set id =" +ID;         = conn.preparestatement (sql);        Preparestatement.executeupdate ();        

PreparedStatement precompiled objects pre-compiles incoming SQL, when the incoming ID string is "update ft_proposal set id = 3;drop table ft_proposal;" This situation causes SQL injection to delete the Ft_proposal table.

How to prevent SQL injection, first to precompile the SQL to execute, and then replace the placeholders

String sql = "Update ft_proposal set id =?"  = conn.preparedstatement (sql);p s.setstring (1, "2");p s.executeupdate ();

In addition to processing the use of precompiled statements, another implementation can take a stored procedure , the stored procedure is actually precompiled, the stored procedure is a collection of SQL statements, all precompiled SQL statements are compiled, stored on the database,

Because the stored procedure is more rigid, it is generally not handled in this way.

Second, how is SQL injection handled by MyBatis?

Suppose the SQL query statement in the Mapper.xml file is:

<id= "FindByID"  resulttype= "String">     Select name from user where id = #{userid}; </ Select >

The corresponding interfaces are:

 Public String FindByID (@param ("userid") string userId);

When the parameter passed in is 3;drop table user; When we do, we can see that the printed SQL statement is:

Select name from usre where id =?;

No matter what parameters are entered, SQL injection can be prevented, because MyBatis is precompiled, and the underlying SQL is precompiled by the Preparestatement precompiled implementation class, which prevents SQL injection.

If the query statement is rewritten as:

<id= "FindByID"= "String">select name from User where Id=${userid}</Select>

When the input parameter is 3;drop table user; The Execute SQL statement is

Select name from user where id = 3;drop table user;

MyBatis does not make a precompiled statement, it first string concatenation, and then pre-compiled. This process is the process in which SQL injection takes effect.

Therefore, when writing mybatis mapping statements, try to use a format such as "#{xxx}". If you have to use parameters such as "${xxx}", do the filtering work manually to prevent SQL injection attacks.

How does mybatis prevent SQL injection?