“This is the 14th day of my participation in the August Text Challenge.
SQL injection:
SQL injection is refers to the legitimacy of the web application to user input data without judgment or filtering is lax, the attacker can be defined in advance in the web application at the end of the query statement to add extra SQL statements, the administrator unwittingly illegal operation, in order to realize deceived any query of the database server to perform unauthorized, Thus further get the corresponding data information
The most common injection risk in Mybatis is using ${} when writing.
The above picture illustrates the way JDBC leverages two precompiled event times;
- The first kind of
Preparedstatements can be written directly to SQL statements, followed by executeUpdate;
Preventing SQL injection
- ExecuteUpdate is an SQL Statement that is executed directly.
Is direct string concatenation
Mybatis obtains parameter values in two ways:
1. #{}– >preparedStatement is a wildcard preparedStatement that converts #{} into??
Insert into payment (serial) values(#{serial}); Don't worry about the single quotation marks, because when a String is assigned, it automatically adds "male" to it.Copy the code
${}–> SQL Statement; ${}–> SQL Statement
Insert into serial values('${serial}'); '${serial}' - must be handled with single quotes, they are not automatically added and may cause errors;Copy the code
Mybatis #{} and ${} what is the difference
Essence: # {} is precompiled processing, $} is string substitution.
(1) Mybatis will replace # {} with? Call the set method in PreparedStatement to assign the value.
${} = ${}; ${} = ${};
(3) Using # {child can effectively prevent SQL injection, improve system security. The reason: the precompilation mechanism. After precompilation is complete, the SQL structure is fixed. Even if users enter invalid parameters, the SQL structure is not affected, thus avoiding potential security risks.
(4) Precompilation is the pre-compilation of SQL statements in advance, and the parameters injected later will not be compiled in SQL. As we know, SQL injection takes place during compilation, because some special characters are injected for malicious purposes, and finally compiled into malicious execution operations. The precompilation mechanism prevents SQL injection
conclusion
For pre-compiled SQL, you can directly exclude the conditions of SQL injection, so as to make it non-invasive;