php教程
PHP開發(fā)
A brief discussion on the difference between # and $ in mybatis and how to prevent SQL injection
A brief discussion on the difference between # and $ in mybatis and how to prevent SQL injection
Jan 05, 2017 pm 05:21 PM
The difference between # and $ in mybatis
1. #Treat the incoming data as a string, and add a double quotation mark to the automatically incoming data. For example: order by #user_id#, if the value passed in is 111, then the value when parsed into sql is order by "111". If the value passed in is id, the parsed sql is order by "id".
2. $ Display the incoming data directly and generate it in sql. For example: order by $user_id$, if the value passed in is 111, then the value when parsed into sql is order by user_id. If the value passed in is id, the parsed sql is order by id.
3. #Method can prevent sql injection to a great extent.
4.$ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as table names.
6. If you can generally use #, don’t use $.
Prevent Sql injection
Note: Do not write the SQL statement as select * from t_stu where s_name like '%$name$%', which is extremely vulnerable to injection attacks.
Parameters in the format of "${xxx}" will directly participate in sql compilation, so injection attacks cannot be avoided. But when it comes to dynamic table names and column names, only parameter formats such as "${xxx}" can be used.
When writing the mapping statement of mybatis, try to use the format of "#{xxx}". If you have to use parameters such as "${xxx}", you must manually filter them to prevent SQL injection attacks.
Example
<sql id="condition_where">
<isNotEmpty property="companyName" prepend=" and ">
t1.company_name like #companyName#
</isNotEmpty>
</sql>
The java code is similar to your original one, and there is nothing wrong with it. If you find it troublesome, set the judgment to null and '%' can be encapsulated into a method
if (!StringUtil.isEmpty(this.companyName)) {
table.setCompanyName("%" + this.companyName + "%");
}
The above is a brief discussion of # and in mybatis brought to you by the editor The difference between $ and the method to prevent sql injection is all covered. I hope everyone will support the PHP Chinese website~
For more about the difference between # and $ in mybatis and the method to prevent sql injection, please pay attention to PHP for related articles Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
Various ways to implement batch deletion operations in MyBatis
Feb 19, 2024 pm 07:31 PM
Several ways to implement batch deletion statements in MyBatis require specific code examples. In recent years, due to the increasing amount of data, batch operations have become an important part of database operations. In actual development, we often need to delete records in the database in batches. This article will focus on several ways to implement batch delete statements in MyBatis and provide corresponding code examples. Use the foreach tag to implement batch deletion. MyBatis provides the foreach tag, which can easily traverse a set.
Detailed explanation of MyBatis cache mechanism: understand the cache storage principle in one article
Feb 23, 2024 pm 04:09 PM
Detailed explanation of MyBatis caching mechanism: One article to understand the principle of cache storage Introduction When using MyBatis for database access, caching is a very important mechanism, which can effectively reduce access to the database and improve system performance. This article will introduce the caching mechanism of MyBatis in detail, including cache classification, storage principles and specific code examples. 1. Cache classification MyBatis cache is mainly divided into two types: first-level cache and second-level cache. The first-level cache is a SqlSession-level cache. When
Comparison of similarities and differences between iBatis and MyBatis: comparison of mainstream ORM frameworks
Feb 19, 2024 pm 07:08 PM
iBatis and MyBatis are two mainstream ORM (Object-Relational Mapping) frameworks. They have many similarities in design and use, but also have some subtle differences. This article will compare the similarities and differences between iBatis and MyBatis in detail, and illustrate their characteristics through specific code examples. 1. The history and background of iBatis and MyBatis iBatis is Apache Software Foundat
MyBatis Generator configuration parameter interpretation and best practices
Feb 23, 2024 am 09:51 AM
MyBatisGenerator is a code generation tool officially provided by MyBatis, which can help developers quickly generate JavaBeans, Mapper interfaces and XML mapping files that conform to the database table structure. In the process of using MyBatisGenerator for code generation, the setting of configuration parameters is crucial. This article will start from the perspective of configuration parameters and deeply explore the functions of MyBatisGenerator.
In-depth understanding of the batch Insert implementation principle in MyBatis
Feb 21, 2024 pm 04:42 PM
MyBatis is a popular Java persistence layer framework that is widely used in various Java projects. Among them, batch insertion is a common operation that can effectively improve the performance of database operations. This article will deeply explore the implementation principle of batch Insert in MyBatis, and analyze it in detail with specific code examples. Batch Insert in MyBatis In MyBatis, batch Insert operations are usually implemented using dynamic SQL. By constructing a line S containing multiple inserted values
Sharing optimization tips for batch Insert statements in MyBatis
Feb 22, 2024 pm 04:51 PM
MyBatis is a popular Java persistence layer framework that implements the mapping of SQL and Java methods through XML or annotations, and provides many convenient functions for operating databases. In actual development, sometimes a large amount of data needs to be inserted into the database in batches. Therefore, how to optimize batch Insert statements in MyBatis has become an important issue. This article will share some optimization tips and provide specific code examples. 1.Use BatchExecu
Security First: Best Practices to Prevent SQL Injection in MyBatis
Feb 22, 2024 pm 12:51 PM
As network technology continues to develop, database attacks are becoming more and more common. SQL injection is one of the common attack methods. Attackers enter malicious SQL statements into the input box to perform illegal operations, causing data leakage, tampering or even deletion. In order to prevent SQL injection attacks, developers must pay special attention when writing code, and when using an ORM framework such as MyBatis, they need to follow some best practices to ensure the security of the system. 1. Parameterized query Parameterized query is the anti-
