mybatis与sql注入
来源:互联网 发布:linux grub命令进系统 编辑:程序博客网 时间:2024/06/04 04:32
Recently I was asked about how mybatis prevent sql injection, but I don't know.
Then I searched on the Internet, found something useful about sql injection.
First, Let's look the difference about Statement and PrepareStatement in Java.
If we create a sql like this
String sql = "select * from tb_name where name= ' " + varname + " ' and passwd = ' " + varpasswd + " ' " ;
Statement st = con.createStatement();
And we call the sql is dynamicly collage, If the client send varname and varpasswd are "admin" and" admin' or '1' = '1 ", what's the result of it?
this sql will like this
select * from tb_name where name= 'admin' and passwd = 'admin' or '1' = '1' ;
this is a typically sql injection, it will show all data;
if we use PrepareStatement , will like this:
perstmt=con.prepareStatement("select * from tb_name where name = ? and passwd = ?");
perstmt.setString(1, var1);
perstmt.setString(2, var2);
perstmt.execute();
it PrepareStatement will compile this sql in advance, and when you send the same parameters to it, it will become like this:
select * from tb_name where name= " admin " and passwd = "admin ' or '1' = '1 " ;
It sql will treate the wholeadmin' or '1' = '1 aspasswd ,
This is only becausePrepareStatement compile this sql in advance , and when you send parameters to it,
it will only replace the ? ,and prevent the sql injection.
it means that PrepareStatement compile the whole sql and only let you set the parameter to it as whole.
And mybatis , if we make like this
<select id ="getBlog" resultType="Blog" parameterType="int">
select * from blog where id= #{id}
</select>
when you see the log no matter what parameter you sent it , it will print
select * from blog where id = ?
in fact, it compile in advance ,it uses PrepareStatement to prevent sql injection.
But under some condictions, like the name of the table, the name of the column is parameter,is dynamctic, we must make it like this
<select id ="getBlog" resultType="Blog" parameterType="int">
select * from ${blog}
</select>
when you see the log when you pass "blog" to it, it will print
select * from blog
and in this case, it send parament directly to this sql ,can't prevent sql injection.
- mybatis与sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- MyBatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- Mybatis sql注入
- MyBatis SQL注入
- Mybatis防止SQL注入
- mybatis ${} sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- mybatis防止sql注入
- Mybatis 防止SQL注入
- opencv:求视频的前n帧的融合图像
- turtlebot2+激光雷达
- ListView和Scrolloview共用View.measure(widthMeasureSpec, heightMeasureSpec) 空指针异常
- 反射、注解与依赖注入总结
- 在swift下 代码加载xib
- mybatis与sql注入
- iOS SDK 9.3下载 解决Could not find Developer Disk Image问题
- Oracle 并行操作
- 功能异常简单的贪吃蛇(队列实现)
- ViewPager刷新单个页面的方法
- Ubuntu安装jdk出现tar: Error is not recoverable: exiting now
- 浅谈Testin真机自动化App云测试
- Android 中Adapter归纳
- 经典排序算法----归并排序(稳定)