使用Mybatis检查SQL注入的输入
[英]check input for SQL-Injection with Mybatis
问题描述
I'd like to check my input string for potential SQL-Injection. 
我想检查我的输入字符串中是否存在潜在的SQL注入。
Here is my class, method and query: 这是我的类,方法和查询:
public class UserNamesQuery {
public static String getUserNames(Map<String, Object> params) {
String userNames = (String) params.get("userNames");
return "SELECT * FROM users WHERE name IN (" + userNames + ") ";
}
}
Is there a tool or a quick way to validate that userNames is without SQL-Injection? 是否有工具或快速方法来验证userNames是否没有SQL注入?
Notice that I use Mybatis 请注意,我使用Mybatis
3 个解决方案
解决方案1
7 已采纳 2016-03-07 12:03:41
No. There is no way. 不行 And no need. 不用了
To be frank, there is no such thing like "SQL injection". 坦率地说,没有“ SQL注入”之类的东西。 There is only an exploit of improperly formatted query . 只有一种格式不正确的查询 。
So, instead of hunting down whatever "injections" you have to format your queries properly, by means of using prepared statements. 因此,您不必通过使用准备好的语句来查找任何“注入”,而是必须正确地设置查询的格式。
Any data, depends on context, could be either a potential injection or a harmless chunk of text. 根据上下文,任何数据都可能是潜在的注入,也可能是无害的文本块。 So, with whatever filtering function there will be too much false positives. 因此,无论使用什么过滤功能,都会有太多的误报。 Worse yet, whatever filtering is a "black list" implementation, means it will always be incomplete - it's just impossible to filter out all the codes used to exploit an injection. 更糟糕的是,无论什么过滤都是“黑名单”实现,都意味着它永远是不完整的-过滤掉用于利用注入的所有代码是不可能的。
On the other hand, prepared statement is a relatively simple solution that will be immune to any type of injection without even knowing them. 另一方面,准备好的陈述是一个相对简单的解决方案, 即使不知道它们 ,也不会受到任何类型的注射的影响。 Just because it won't let the data to interfere with the query. 仅仅因为它不会让数据干扰查询。
解决方案2
0 2016-07-26 10:57:09
Sanitizing input is not the way to prevent injections like this. 消毒输入不是防止此类注射的方法。 Using prepared statements is the way to go. 使用准备好的语句是可行的方法。
PreparedStatement ps = connection.prepareStatement("SELECT * FROM users WHERE username IN (?)"); //Add however many ?'s you want, if you have an array you can use a StringBuilder for this to add more ?'s
ps.setString(1, userName);
ResultSet rs = ps.executeQuery();
This will set the ? 这将设置? in the code to your string. 在代码中输入您的字符串。 The database driver then handles the rest. 然后,数据库驱动程序将处理其余部分。 If you have multiple values in the IN clause, use a StringBuilder and a loop to add more Questionmarks. 如果IN子句中有多个值,请使用StringBuilder和循环来添加更多问号。
Also notice how the indexing starts with 1 instead of 0. 还要注意索引是如何从1而不是0开始的。
解决方案3
-1 2019-08-08 13:12:37
mybatis sql template may be a good choose. mybatis sql模板可能是一个不错的选择。 FYI: 仅供参考:
<sql id="orderTypeSql">
<trim prefix=" ">
<if test="orderType=='desc'">desc</if>
</trim>
</sql>
<sql id="oderColumnSql">
<trim prefix="order by " suffix="" >
<choose>
<when test="orderColumn==null or orderColumn==''"></when>
<when test="orderColumn=='id'">
id<include refid="orderTypeSql"/>
</when>
<when test="orderColumn=='name'">
`name`<include refid="orderTypeSql"/>
</when>
</choose>
</trim>
</sql>
<select id="testOrderBy" resultType="User">
select
id,
`name`
from t_user
<include refid="oderColumnSql"/>
limit 0, 10
</select>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.