zoukankan      html  css  js  c++  java
  • Mybatis中的#和$的区别

    在mybatis中,配置参数要用#,不要用(符号。因为)不安全,容易被sql注入。讲是这么讲,但是如何注入的,大家一起来看看吧。

    一:下面我们写个关于“#”的个sql,看能不能注入。

     <select id="selectUser" resultMap="BaseResultMap">
        SELECT 
    	    acc.user_name FROM dfws_sys_user_account AS acc
        WHERE
            acc.user_name like #{userName}
      </select>
    

    1.正常传参

    DfwsSysUserAccount user = new DfwsSysUserAccount();
    user.setUserName("wanglingzhi");
    List<DfwsSysUserAccount> list = userAccountService.selectUser(user);
    if(list!=null && list.size()>0){
        for (DfwsSysUserAccount u:list) {
    	    System.out.println("用户名:"+u.getUserName());
        }
    }else{
            System.out.println("暂无数据");
    
    }
    

    sql打印:
    Preparing: SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = ?
    Parameters: wanglingzhi(String)

    2.拼接传参

    DfwsSysUserAccount user = new DfwsSysUserAccount();
    user.setUserName("'wanglingzhi' or acc.user_name = 'shuizhong'");
    List<DfwsSysUserAccount> list = userAccountService.selectUser(user);
    if(list!=null && list.size()>0){
        for (DfwsSysUserAccount u:list) {
    	    System.out.println("用户名:"+u.getUserName());
        }
    }else{
            System.out.println("暂无数据");
    
    }
    

    sql打印:

    Preparing: SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = ?

    Parameters: wanglingzhi or acc.user_name = shuizhong(String)

    二:下面我们写个关于“$”的个sql,看能不能注入。

    <select id="selectUser" resultMap="BaseResultMap">
        SELECT 
    	    acc.user_name FROM dfws_sys_user_account AS acc
        WHERE
            acc.user_name like ${userName}
      </select>
    

    1.正常传参

    DfwsSysUserAccount user = new DfwsSysUserAccount();
    user.setUserName("'wanglingzhi'");
    List<DfwsSysUserAccount> list = userAccountService.selectUser(user);
    if(list!=null && list.size()>0){
        for (DfwsSysUserAccount u:list) {
            System.out.println("用户名:"+u.getUserName());
        }
    }else{
            System.out.println("暂无数据");
    }
    

    打印sql:
    SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = 'wanglingzhi'

    2.拼接传参

    DfwsSysUserAccount user = new DfwsSysUserAccount();
    user.setUserName("'wanglingzhi' or acc.user_name = 'shuizhong'");
    List<DfwsSysUserAccount> list = userAccountService.selectUser(user);
    if(list!=null && list.size()>0){
        for (DfwsSysUserAccount u:list) {
    	    System.out.println("用户名:"+u.getUserName());
        }
    }else{
            System.out.println("暂无数据");
    }
    

    打印sql:
    SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = 'wanglingzhi' or acc.user_name = 'shuizhong'

    很显然,这里已经sql注入了。


    -----理解一下:
    这里有4个例子分别是:#的正常传参和拼接传参,(的正常传参和拼接传参。#正常传参的情况下,可以获取到数据,#拼接传参的情况下,被mybatis拦截,所以无法获取到数据。)正常传参和拼接传参都未被拦截,所以都可以获取到数据。也就出现了在$情况下的sql注入问题

  • 相关阅读:
    Shiro
    RabbitMQ
    RabbitMQ
    RabbitMQ
    RabbitMQ
    RabbitMQ
    RabbitMQ
    Java
    Java
    Java
  • 原文地址:https://www.cnblogs.com/miniSimple/p/12296989.html
Copyright © 2011-2022 走看看