Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.

background

ParameterType is used for parameterType parameterType in Mybatis. ${} is used for parameterType parameterType in SQL.

knowledge

#{test1Param} : #{test1Param} : #{test1Param} : #{test1Param} : #{test1Param} : #{test1Param} : #{test1Param}

select * from table_test where name = #{test1Param}
Copy the code

When executed, mybatis will be converted into the following SQL statement:

select * from table_test where name = 'test';
Copy the code

Test1Param: {test1Param} : test1Param: {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} : {test1Param} :

select * from table_test where name = ${test1Param}
Copy the code

When executed, mybatis will be converted into the following SQL statement:

select * from table_test where name = test;
Copy the code

As you can see from the above code, the $placeholder is a problem for SQL injection, because the parameters it passes are not compiled, so once executed, the data will be executed directly. Because it is precompiled, there is no problem with SQL injection.

conclusion

Because of the high risk of SQL injection, we highly recommend using # placeholders during development. After all, security is a very important consideration when developing systems.

But there will always be cases where $is used, such as passing in the value, as shown in the following code.

select * from table_test where name in (${test1Param});
Copy the code

As shown above, you can do injection by concatenating it with Java code and then injecting it with the $placeholder.