Article Directory
foreword
Mybatis dynamically passes in order by (sorting field) and sort (sorting method), only KaTeX parse error: Expected 'EOF', got '#' at position 8: {} parameter passing method, #̲{} parameter passing is invalid. However, we all know that using {} to pass parameters will cause SQL injection problems. After searching the Internet, many people say that you can’t have both fish and bear’s paws. Next, I will introduce how to use dynamic parameter passing and prevent injection.
1. Two parameter passing methods of mybatis #{} and ${}
1. Pass parameters
1.1. It is precompiled by prepareStatement, and a single quotation mark will be added to the automatically passed in data.
For example: order by #{orderBy}, if the time passed in is , it will be parsed as order by 'update_time' (such sorting is invalid, which is why you cannot use # to pass parameters).
1.2. The method can largely prevent sql injection
2. $ pass parameter
The $ method will pass in an unchanged string, which cannot prevent injection.
For example: order by #{orderBy}, if the time passed in is, it will be parsed as order by update_time
Therefore, if you can use #, don’t use KaTeX parse error: Expected 'EOF', got '#' at position 38: ... In the case of fields and methods, you can’t use #̲ to pass parameters, and use parameters to prevent injection and ensure safety . Let me introduce my solution below.
2. How to pass parameters to prevent injection
Using enumeration can solve this problem. Simply put, it is to define our table name, sorting fields and sorting methods in advance. Define the table name, sorting fields and sorting methods we need to use in a separate enumeration class or constant definition class.
Here are two ways:
2.1 Judging and preventing injection in business code:
Judgment is made in the business code, and if it is not within this scope, I will directly deal with it in the default way, so that non-standard parameters and sql injection code can be filtered out.
Key code:
only introduced in order of start time and update time, other business fields can be added according to actual needs,
// 默认开始时间倒序
param.setOrderBy("begin_time");
param.setSort("DESC");
if (StringUtils.isNotEmpty(param.getOrderBy())) {
switch (param.getOrderBy()) {
case "updateTime":
param.setOrderBy("update_time");
break;
default:
param.setOrderBy("begin_time");
}
}
// 如果是升序,就重新设置为升序
if("ascending".equals(param.getSort())) {
param.setSort("ASC");
}
After processing, it is our controllable attribute content, and we can directly use $ to pass parameters, such as:
SELECT <include refid="Base_Column_List"/>
FROM alarm_list_info_view as m
<where>
m.status = 0
</where>
order by ${param.orderBy} ${param.sort}
2.2 Judging enumeration anti-injection in the xml file of mybatis
key code:
SELECT <include refid="Base_Column_List"/>
FROM alarm_list_info_view as m
<where>
<if test="param.orderBy== 'begin_time'">
order by begin_time
</if>
<if test="param.orderBy== 'update_time'">
order by update_time
</if>
</where>
// 或者这样 总之先保证是我们需要的排序字段和方式 一般字段也不会太多 不够可以添加
SELECT * FROM alarm_list_info_view as m
<choose>
<when test="(orderBy=='begin_time' or orderBy=='update_time') and (sort=='desc' or sort=='asc')">
order by ${orderBy} ${sort}
</when>
<otherwise>
order by updateTime desc
</otherwise>
</choose>
According to this idea, it can be solved perfectly. If you have other solutions, please advise.