A sorting function should be added in ibatis
Added such code according to inertial thinking
<isNotNull prepend="," property="orderColumn">
order by #orderColumn#
</isNotNull>
doesn't work as expected
Checked that the original statement was generated, and found that the assembled SQL became
order by 'name'
Quotes are added before and after the orderColumn parameter, so it will fail.
If it is changed to order by $orderColumn$, because the $ symbol represents a spliced string, it becomes an order by name, so there is no problem in execution, but it may form a sql injection vulnerability, because the transmission after order by The input parameters may be
orderColumn ,(select if(substring(user(),1,2)='xx',sleep(4),-1)) The effect of this execution is to hang when the first two digits of the database user name are xx 4 seconds (this hang is 4 seconds per record, that is, if there are 5 records, it will hang for 20 seconds). This can be hacked.
There are basically two ways to improve. One is to configure conditional judgment in the xml of ibatis. For example, when the parameter is 1, the sorting field is A, and when the parameter is 2, the sorting field is B.
<isNotNull property="model.orderType" >
<isEqual property="model.orderType" compareValue="0" prepend="ORDER BY" removeFirstPrepend="true">
BEGIN_TIME DESC
</isEqual>
<isEqual property="model.orderType" compareValue="1" prepend="ORDER BY" removeFirstPrepend="true">
APPLY_BEGIN_TIME DESC
</isEqual>
</isNotNull>
Another is to judge at the DAO layer to judge the incoming parameter value. For example, you can use a regular expression to judge whether the parameter value is uppercase and lowercase letters + underscores.