SQL injection is familiar to everyone and is a common attack method. The attacker enters some strange SQL fragments (such as "or '1' = '1'") on the form information or URL of the interface, which may invade the application with insufficient parameter verification . Therefore, we need to do some work in our application to prevent such attacks. In some applications with high security requirements (such as banking software), it is often used to replace all SQL statements with stored procedures to prevent SQL injection. This is of course a very safe way , but we usually do not need this rigid way in development.
1. An example of SQL injection for $ {} fuzzy query: ( $ {} is not compiled, it is just stitched, equivalent to Statement )
SQL:
<select id="getInfo2" resultType="cn.xm.exam.bean.haul.Haulinfo" parameterType="hashmap"> SELECT * FROM haulinfo <where> <if test="name != null"> and bigname like '%${name}%' </if> <if test="status != null"> =bigStatusand #{status} </if> </where> </select>
Java test:
It was originally a fuzzy query name, and as a result, filtering was added to the description.
@Test public void test2() throws SQLException { Map condition = new HashMap(); condition.put("name", "%' and bigdescription like '阳城"); condition.put("status", "未开始"); testMapper.getInfo2(condition); }
Preparing: SELECT * FROM haulinfo WHERE bigname like '%%' and bigdescription like '阳城%' and bigStatus = ?
Parameters: Not started (String)
Total: 2
2. bind + # {} Fuzzy query Prevent SQL injection (# {} precompilation, the parameters passed are not compiled, only as parameters, equivalent to PreparedStatement )
The bind element can create a variable from the OGNL expression and bind it to the context. such as:
<select id="selectBlogsLike" resultType="Blog"> <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" /> SELECT * FROM BLOG WHERE title LIKE #{pattern} </select>
SQL:
<select id="getInfo" resultType="cn.xm.exam.bean.haul.Haulinfo" parameterType="hashmap"> SELECT * FROM haulinfo <where> <if test="name != null"> <bind name="names" value="'%'+name+'%'" /> and bigname like #{names} </if> <if test="status != null"> and bigStatus = #{status} </if> </where> </select>
Java test:
@Test public void test1() throws SQLException { Map condition = new HashMap(); condition.put("name", "%' and bigdescription like '阳城"); condition.put("status", "未开始"); testMapper.getInfo(condition); }
Preparing: SELECT * FROM haulinfo WHERE bigname like ? and bigStatus = ?
Parameters: %% 'and bigdescription like' Yangcheng% (String), not started (String)
Total: 0
3. Another fuzzy query method
select departmentid,updepartmentid,departmentname from
department where departmentid like concat(#{departmentid},'%')
<if test="documentName!=null && documentName!=''"> and documentName like concat(concat('%',#{documentName}),'%') </if>
[Conclusion] When writing the mapping statement of MyBatis, try to use the format " # {xxx}". If you have to use parameters like " $ {xxx}", you must manually do the filtering work to prevent SQL injection attacks.
# {}: Equivalent to PreparedStatement in JDBC
$ {}: Is the value of the output variable
To put it simply, # {} is pre-compiled and safe ; $ {} is not pre-compiled, it just takes the value of the variable, it is not safe, and there is SQL injection.
If we use $ {} after the order by statement, then there is a danger of SQL injection when nothing is done. How do you prevent it? Then I can only tell you tragicly, you have to manually filter the input. For example, to determine whether the length of the input parameters is normal (injection statements are generally very long), more accurate filtering can query whether the input parameters are in the expected parameter set.
This article is reproduced from fuzzy query
SQL injection is familiar to everyone and is a common attack method. The attacker enters some strange SQL fragments (such as "or '1' = '1'") on the form information or URL of the interface, which may invade the application with insufficient parameter verification . Therefore, we need to do some work in our application to prevent such attacks. In some applications with high security requirements (such as banking software), it is often used to replace all SQL statements with stored procedures to prevent SQL injection. This is of course a very safe way , but we usually do not need this rigid way in development.
1. An example of SQL injection for $ {} fuzzy query: ( $ {} is not compiled, it is just stitched, equivalent to Statement )
SQL:
<select id="getInfo2" resultType="cn.xm.exam.bean.haul.Haulinfo" parameterType="hashmap"> SELECT * FROM haulinfo <where> <if test="name != null"> and bigname like '%${name}%' </if> <if test="status != null"> =bigStatusand #{status} </if> </where> </select>
Java test:
It was originally a fuzzy query name, and as a result, filtering was added to the description.
@Test public void test2() throws SQLException { Map condition = new HashMap(); condition.put("name", "%' and bigdescription like '阳城"); condition.put("status", "未开始"); testMapper.getInfo2(condition); }
Preparing: SELECT * FROM haulinfo WHERE bigname like '%%' and bigdescription like '阳城%' and bigStatus = ?
Parameters: Not started (String)
Total: 2
2. bind + # {} Fuzzy query Prevent SQL injection (# {} precompilation, the parameters passed are not compiled, only as parameters, equivalent to PreparedStatement )
The bind element can create a variable from the OGNL expression and bind it to the context. such as:
<select id="selectBlogsLike" resultType="Blog"> <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" /> SELECT * FROM BLOG WHERE title LIKE #{pattern} </select>
SQL:
<select id="getInfo" resultType="cn.xm.exam.bean.haul.Haulinfo" parameterType="hashmap"> SELECT * FROM haulinfo <where> <if test="name != null"> <bind name="names" value="'%'+name+'%'" /> and bigname like #{names} </if> <if test="status != null"> and bigStatus = #{status} </if> </where> </select>
Java test:
@Test public void test1() throws SQLException { Map condition = new HashMap(); condition.put("name", "%' and bigdescription like '阳城"); condition.put("status", "未开始"); testMapper.getInfo(condition); }
Preparing: SELECT * FROM haulinfo WHERE bigname like ? and bigStatus = ?
Parameters: %% 'and bigdescription like' Yangcheng% (String), not started (String)
Total: 0
3. Another fuzzy query method
select departmentid,updepartmentid,departmentname from
department where departmentid like concat(#{departmentid},'%')
<if test="documentName!=null && documentName!=''"> and documentName like concat(concat('%',#{documentName}),'%') </if>
[Conclusion] When writing the mapping statement of MyBatis, try to use the format " # {xxx}". If you have to use parameters like " $ {xxx}", you must manually do the filtering work to prevent SQL injection attacks.
# {}: Equivalent to PreparedStatement in JDBC
$ {}: Is the value of the output variable
To put it simply, # {} is pre-compiled and safe ; $ {} is not pre-compiled, it just takes the value of the variable, it is not safe, and there is SQL injection.
If we use $ {} after the order by statement, then there is a danger of SQL injection when nothing is done. How do you prevent it? Then I can only tell you tragicly, you have to manually filter the input. For example, to determine whether the length of the input parameters is normal (injection statements are generally very long), more accurate filtering can query whether the input parameters are in the expected parameter set.
This article is reproduced from fuzzy query