Original address: Click on the Open link
iBatis Resolve SQL injection
(1) ibatis XML configuration: The following notation is simply escaped with the name like '% $name $% '
(2) This can cause SQL injection problems, such as the parameter name in a single quote "'", the resulting SQL statement will be: name like '% '
(3) The solution is to use string concatenation to form the SQL statement name like '% ' | | #name # ' | | ' %'
(4) so that the parameters will be precompiled, there will be no SQL injection problem.
(5) #与 $ difference:
#xxx # means that xxx is the attribute value, the key in the map or the attribute inside your Pojo object,ibatis will automatically enclose it in quotation marks, as shown in the SQL statement where xxx = ' xxx ';
$xxx $ is the concatenation of XXX as a string into your SQL statement, such as the order by TopicID, and the statement is written like this ... the ORDER by #xxx #,Ibatis will translate him into a ' topicid ' (which The statement is written like this ... the ORDER by $xxx $ibatis will translate him into order by TopicID SELECT * from user Safe Writing of 4>where username like '%$ username$% '
SQL code SELECT * from user WHERE username like '% ' | | #username # | | '%'
SELECT * FROM user WHERE username like '% ' | | #username # | | '%'
In fact, the above statement is intended for Oracle and is not the same for different data string connectors. mysql and SQL Server are listed below:
Mysql: SQL code SELECT * from user WHERE username like CONCAT('% ', #username #, '% ')
SQL Server: SQL code SELECT * from user WHERE username like '% ' + #username # + '% '
--------------------------------------------------------------------------------------------------------------- --------------
About database string connectors simply enumerate some of the databases I've used as follows:
| Oracle |
Sql server |
Mysql |
DB2 |
| || or CONCAT() |
+ |
CONCAT () |
|| or CONCAT() |