beginning
This is a problem found during code optimization, function optimization discovered after finding out some data, the problem lies on a $ # and sql.
The figure below shows two sql:
As can be seen from FIG wwlr.LabelId in ($ {showLabels}) and wwlr.LabelId in (# {showLabels}), which is passed in a way showLabels parameters of type string, this parameter is "4,44,514 "the problem lies in the parameters passed in this way and $ # treatment is not the same.
the difference
1, # {} is a pre-compiler process, the processing MyBatis # {}, it will in sql # {} is replaced with? , Then call a method of a PreparedStatement set assignment, the incoming string, an apostrophe will sides value, if the above value "4,44,514" becomes "" 4,44,514 " ';
2, is a string $ {} Alternatively, when processing MyBatis $ {}, it will in sql $ {} with the value of the variable, not the incoming data on both sides with an apostrophe added.
Note: Use the $ {} will cause sql injection, it is not conducive to the security of the system!
SQL injection: is inserted into a Web form submitted by the SQL command or enter a domain name or page request query string, and ultimately deceive server to execute malicious SQL commands. Common are anonymous login (login box in malicious input string), with an exception to get database information
Applications:
1, # {}: the main users of the data acquisition parameters in the DAO, SQL statements appear in the map file # {} expression, the bottom will create pre-compiled SQL;
2, $ {}: mainly used to obtain profile data, parameter information DAO interface, not pre-compiled SQL When $ appears in a SQL statement mapping file was created, but the string concatenation, there may be when SQL injection cause problems. Therefore, the general use of $ dao receiving parameters, which are typically the field name, the table name, etc., such order by {column}.
Note:
{} $ DAO parameter data is acquired, the parameters must be used or modified for use @param annotation index or parameter # {param1} form;
{#} DAO parameter data is acquired, if the number of parameters have more than one choice to use @param.
problem analysis
In fact, first I did not quite see where # and $ sql, sql I ran into the database as usual, so I will execute sql code output to the console, and is such a specific output sql configuration file:
After the output, and finally I found where the problem lies. . . .
Read the difference between the above description, I believe we should really know the difference in where, where our problems, in fact, in sql when the data is added to the inside of the two double quotes. "Wwlr.LabelId in (4,44,514) becomes wwlr.LabelId in ( '4,44,514'); resulting in finding out part of the data.
Solution
1, quickly resolve
The fastest way is to directly replace $ #, this problem can be solved.
However, I am speechless, I really did not solve.
Local run the code without any problems, deployed to the company's problems have not been resolved as docker, gives the impression that the code did not change from the $ #.
We all know that $ is actually dangerous, can easily be injected sql, with what I know, our company docker will add a layer to prevent sql injection function, so I do not know this is not the function of the $ invalidated.
Of course, I did not go to the service and then hit sql look, because originally $ is less secure, so I changed a way of processing.
2, using foreach tag
foreach tag is mainly used to build in conditions, he can iterate in the collection in sql.
Let's look at the syntax:
By the map, we should also understand and use this label instead.
For our project in that transformation, in fact, passed in the original string parameter becomes List <Integer>, so it is the perfect solution to the problem, not only to achieve our function, but also to solve the security problem.
Original Address: https://blog.csdn.net/j3T9Z7H/article/details/90388352