Ibatis[mybatis] Safety Reinforcement

For the mapping framework, the precompiled statement has solved most of the SQL injection.

But for mapping, if dynamic statements are supported, there is the possibility of SQL injection in the same way as the program. So in Ibatis[mybatis], security hardening is mainly for the dynamic statement of the $ symbol

SELECT * from userinfo where name = {#name} oder by erColumn $ $sortMode $

This is a very typical scenario, because it can be sorted in a variety of ways, so Ordercolumn is dynamically passed in, and the same sortmode is dynamically passed in, so that the explanatory statements are

Name = {#name} can be determined as name =? Such a precompiled name, there is no risk of SQL injection, Ordercolumn and SortMode are likely to pass in special variables constructed into dangerous SQL.

Because these two variable strings are dynamically struggling to get to the statement:

Set ordercolumn = "name;  Delete from userinfo; "; Constructed as SELECT * from userinfo where name =? oder by Name;delete from UserInfo; Xxx

Therefore, in the reinforcement of the main for the interception.

In Ibaties, because there is no interceptor, mainly hack source, repack, and Ingress in the Simpledynamicsql class GetSQL method, here we get the original SQL after the SQL Shard according to:

string[] tokens = sql.split (' $ ');

We want to make sure that the variables in the $xxx$ must be in the form of a variable to the SQL statement instead of directly to the SQL, and that there are two options for converting directly to a string, such as:

DatabaseMetaData MD = Connection.getmetadata ();
Quote= md.getidentifierquotestring ();

Newsql.append (quote). Append (paramter). (quote);

The other is if the underlying keyword is directly append, such as:

Newsql.append ("DESC");

This makes up the following:

SELECT * from userinfo where name =? oder by ' name ' DESC; instead of SQL injection, the above two methods are abstracted into two variables:

Keyword and metadata

Keyword is a value that allows only herding, which must be in this abstract form when writing mapper SQL, otherwise null (SQL error is more reliable than SQL injection):

SELECT * from userinfo where name = {#name} oder by erColumn: metadata$ $sortMode: keyword$

This is very good for the string[] tokens:

Newsql = new Stringbuider ();

for (String Tk:tokens) {

string[] VK = Tk.split (":");

if (vk.length = = 1) newsql.append (TK). Append ("");

else{

if ("METADATA". Equals (Vk[1])) Newsql.append (TK). Append (quote). Append (PM). Append (quote). Append ("");//pm from Parameterobject according to Vk[0] Name

else if ("KEYWORD". Equals (Vk[1])) Newsql.append (Vk[0] from KEYWORD): Append ("");

}

}

return newsql.tostring ();

For MyBatis, because of the interceptor mode, we do not have to hack the source code, just add an interceptor:

@Intercepts ({@Signature (method = "Prepare", type = statementhandler.class, args = {connection.class})})
public class Myinterceptor implements interceptor {

Public Object intercept (invocation invocation) throws Throwable {
Boundsql boundsql = xxx;
String sql = Boundsql.getsql ();
String newsql = xxx; The above scenario
Reflacthelper.setvaluebyfieldname (Boundsql, "SQL", Newsql);
return Invocation.proceed ();
}
}

Add this interceptor to the Conf:

<configuration>
<plugins>
<plugin interceptor= "package. Myinterceptor "></plugin>
</plugins>
<environments default= "Development" >
<environment id= "Development" >
<transactionmanager type= "JDBC"/>
<datasource type= "Pooled" >
<property name= "Driver" value= "Com.mysql.jdbc.Driver"/>
<property name= "url" value= "Jdbc:mysql://localhost:3306/mysql"/>
<property name= "username" value= "username"/>
<property name= "password" value= "password"/>
</dataSource>
</environment>
</environments>
<mappers>
<mapper resource= "Mapper.xml"/>
</mappers>
</configuration>

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Ibatis[mybatis] Safety Reinforcement