MyBatis protect String Substitution parameter from sql injection
Question
I need to protect (automatically) requests using String substitution in MyBatis ${myValue) .
From what I've seen, the substitution is done automatically in the GenericTokenParser class using the TokenHandler.handleToken method.
I can't find anything about getting a grab on those values. I can access PreparedStatement parameters using
sqlSession.getConfiguration().getMappedStatement(statement).getBoundSql(parameter).getParameterMappings()
But I really need to retrieve ${} parameters before sending the request to be able to modify the value if needed to protect from SQL Injection.
I though about using AspectJ to intercept the TokenHandler.handleToken method. But I would really prefer to be able to inject my own handler or token parser.
Has someone a clue ?
I'm working on a "framework" for future development, the aim is to have something automatic. Going through the whole parameter object isn't an option (could be heavy), we only want to protect those used in the request before executing it.
1 answers
solution1
3 2014-06-13 12:33:40
MyBatis has 2 substitution methods. The ${} method does direct string replacement (ie property substitution) so it's vulnerable to SQL injection. The #{} method does parameter substitution on a PreparedStatement so it is not vulnerable.
Are you sure you want to be using ${} ? Unless you are dynamically building SQL statements, you probably want to use #{} . If you are building dynamic SQL, then you should validate the parameters before loading the MyBatis configuration.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.