016.Mybatis预防SQL注入攻击
原创
©著作权归作者所有:来自51CTO博客作者上岸很慢的原创作品,请联系作者获取转载授权,否则将追究法律责任
1.Sql注入是什么
2.俩种传值方式
3.相关语句(高级查询必须要进行sql拼接时用$,如${order},但绝对不能让用户从前台输入)
<select id="selectByTitle" parameterType="java.util.Map" resultType="com.imooc.mybatis.entity.Goods">
select *
from t_goods
where title = #{title} ${order}
</select>
/**
* 预防SQL注入
*
* @throws Exception
*/
@Test
public void testSelectByTitle() throws Exception
{
SqlSession session = null;
try
{
session = MyBatisUtils.openSession();
Map param = new HashMap();
/*
${}原文传值
select * from t_goods
where title = '' or 1 =1 or title = '【德国】爱他美婴幼儿配方奶粉1段800g*2罐 铂金版'
*/
/*
#{}预编译
select * from t_goods
where title = "'' or 1 =1 or title = '【德国】爱他美婴幼儿配方奶粉1段800g*2罐 铂金版'"
*/
param.put("title", "'' or 1=1 or title='斯利安 孕妈专用 洗发水 氨基酸表面活性剂 舒缓头皮 滋养发根 让你的秀发会喝水 品质孕妈'");
param.put("order", " order by title desc");
List<Goods> list = session.selectList("goods.selectByTitle", param);
for (Goods g : list)
{
System.out.println(g.getTitle() + ":" + g.getCurrentPrice());
}
}
catch (Exception e)
{
throw e;
}
finally
{
MyBatisUtils.closeSession(session);
}
}
