Ibatis like usage, the security splicing method of each database __ database

Source: Internet
Author: User

Original address: Click on the Open link

iBatis Resolve SQL injection

(1) ibatis XML configuration: The following notation is simply escaped with the name like '% $name $% '

(2) This can cause SQL injection problems, such as the parameter name in a single quote "'", the resulting SQL statement will be: name like '% '

(3) The solution is to use string concatenation to form the SQL statement name like '% ' | | #name # ' | | ' %'

(4) so that the parameters will be precompiled, there will be no SQL injection problem.

(5) #与 $ difference:

#xxx # means that xxx is the attribute value, the key in the map or the attribute inside your Pojo object,ibatis will automatically enclose it in quotation marks, as shown in the SQL statement where xxx = ' xxx ';

$xxx $ is the concatenation of XXX as a string into your SQL statement, such as the order by TopicID, and the statement is written like this ... the ORDER by #xxx #,Ibatis will translate him into a ' topicid ' (which The statement is written like this ... the ORDER by $xxx $ibatis will translate him into order by TopicID SELECT * from user Safe Writing of 4>where username like '%$ username$% '

SQL code SELECT * from user WHERE username like '% ' | |  #username # | | '%'

SELECT * FROM user WHERE username like '% ' | | #username # | | '%'

In fact, the above statement is intended for Oracle and is not the same for different data string connectors. mysql and SQL Server are listed below:

Mysql: SQL code SELECT * from user WHERE username like CONCAT('% ', #username #, '% ')

SQL Server: SQL code SELECT * from user WHERE username like '% ' + #username # + '% '

--------------------------------------------------------------------------------------------------------------- --------------

About database string connectors simply enumerate some of the databases I've used as follows:

Oracle Sql server Mysql DB2
|| or CONCAT() + CONCAT () || or CONCAT()

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.