Shulou(Shulou.com)06/02 Report--

This article introduces how to solve the problem of sql injection when mybatis uses ${}. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Problems with sql injection when mybatis uses ${}

Recently, when launching the project, the code review failed, indicating the risk of sql injection.

ORDER BY ${orderBy}

It is a very simple sorting field, but there is a risk of sql injection due to the use of the ${} placeholder. I believe you often use this placeholder. I wonder if you have considered the problem of sql injection. The following is a brief description of the difference between # {} and ${} and the problem of sql injection when using ${}.

Difference

# {} is a parameter placeholder, and "" is automatically added for String types, but not for other types. Because Mybatis is precompiled, subsequent parameters are no longer compiled by SQL, so SQL injection is prevented to some extent.

${} is a simple String substitution, parsing is what the string is.

Classes such as order by. If the parameter passed by the front end is id (assuming id is of type String), for order by # {id}, the corresponding sql statement is order by "id"; for order by ${id}, the corresponding sql statement is order by id. In this case, there will be unpredictable consequences when the user passes the parameter as id & & 1x1.

Solution method

Add a map to the original entity class

Public Map indexMap=new HashMap () {{put ("spaceId", "space_id"); / / key is the value passed by the front end, and value is the corresponding column value of the database put ("optTime", "opt_time");}}

When passing a parameter, it is determined whether the parameter is in the key of map, and if so, the corresponding value is used as a dependency condition for sorting.

If (paramOptLog.getOrderBy ()! = null & & Strings.isNullOrEmpty (paramOptLog.getOrderBy () {OptLog optLog=new OptLog (); paramOptLog.setOrderBy (optLog.indexMap.getOrDefault (paramOptLog.getOrderBy (), "id"));} List list = optLogMapper.query4Page (paramOptLog);}

The summary is that through mapping, it is up to the programmer to determine the parameters passed by ${}, that is, converting dynamic sql to static sql can solve this problem, so that there is no risk of sql injection during the actual call.

$and # of mybatis sql injection problems using the $symbol in mybatis

Will not be precompiled and will be injected by sql

The injection method is as follows:

The password can be verified by entering any one, as long as the user name is correct.

After this input, the query statement in the database is as follows:

Select id,username,password from userLogin where username='admin' OR 1 # 1 and password='23'

Sql explained: the priority of AND is higher than that of OR. First, determine that the last 1 / 1 and password='23' is false, and then determine that the front username='admin' is true middle.

If the connection is OR, that is, the last is true OR false and the last is true, it will be verified directly and will be able to log in to admin users normally.

Use the # symbol in mybatis

This will precompile and prevent sql injection. Sql injection is only valid at compile time, but it is used for precompilation. Instead of parameters, the parameters are replaced only when they are actually executed.

How to solve the problem of sql injection when mybatis uses ${} is shared here. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.