mybatis 怎么解决 sql注入
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了mybatis 怎么解决 sql注入相关的知识,希望对你有一定的参考价值。
通过对参数进行转义:
比如如下的sql prdtNo这个参数如果包含可能会引起sql注入的字符时,mybatis会对其进行转义
<select id="queryCustomerDetail" resultMap="customerInfoMap">select
<include refid="Base_LinkColimn_list"/>
from FSP_CUSTOMER_INFO i inner join FSP_CUST_RELATION r
on i.id=r.cust_id where i.CIF_NO = #cifNo,jdbcType=VARCHAR
and r.PRODUCT_NO=#prdtNo,jdbcType=VARCHAR
</select> 参考技术A 入参使用#号,不用使用$就可以防止sql注入了。
MyBatis-Plus - 一篇带你解决自定义 SQL 注入器失效必杀技
问题分析
Invalid bound statement (not found)
如果你看到这一篇,说明你也是遇到这个问题的人(废话),我们在上一篇(MyBatis-Plus - 一篇带你玩转自定义 BaseMapper)讲解过程当中,会发现最后用的是 @Component 注解进入注入到 Spring 容器,或者说有的地方采用 @Bean 的方式进行注入(半斤八两),但奇怪的是始种没生效,因为…
import com.baomidou.mybatisplus.core.injector.AbstractMethod;
import com.baomidou.mybatisplus.core.injector.DefaultSqlInjector;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author Lux Sun
* @date 2022/1/14
*/
@Component
public class DSqlInjector extends DefaultSqlInjector
@Override
public List<AbstractMethod> getMethodList(Class<?> mapperClass)
List<AbstractMethod> methodList = super.getMethodList(mapperClass);
methodList.add(new DeletePhysically());
return methodList;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class MyConfiguration
@Bean
public DSqlInjector sqlInjector()
return new DSqlInjector();
解决方案
因为啥?如果在你没有犯了一些基础的错误情况下(比如:注解包没扫到啥啥啥的),那么你很有可能是因为使用自定义SqlSessionFactory,不会初始化刚开始自定义的 SQL 注入器了,知道这个基本问题就解决了,把集成项目的 SqlSessionFactory 去掉,或者加上 GlobalConfig 初始化这一块的代码“globalConfig.setSqlInjector(new DSqlInjector());”。
@Bean
@DependsOn("springCtxUtil")
public MybatisSqlSessionFactoryBean sqlSessionFactoryBean() throws Exception
MybatisSqlSessionFactoryBean sqlSessionFactory = new MybatisSqlSessionFactoryBean();
// basic config
String logicNotDeleteValue = "", logicDeleteValue = "", metaObjectHandler = "" , typeEnumsPackage = "",typeHandlersPackage = "";
if (null != dynamicDataSourceProperties.getGlobalConfig())
logicNotDeleteValue = dynamicDataSourceProperties.getGlobalConfig().getLogicNotDeleteValue();
logicDeleteValue = dynamicDataSourceProperties.getGlobalConfig().getLogicDeleteValue();
metaObjectHandler = dynamicDataSourceProperties.getGlobalConfig().getMetaObjectHandler();
typeEnumsPackage= dynamicDataSourceProperties.getGlobalConfig().getTypeEnumsPackage();
typeHandlersPackage= dynamicDataSourceProperties.getGlobalConfig().getTypeHandlersPackage();
MybatisConfiguration configuration = new MybatisConfiguration();
GlobalConfig globalConfig = GlobalConfigUtils.defaults();
GlobalConfig.DbConfig dbConfig = new GlobalConfig.DbConfig();
globalConfig.setDbConfig(dbConfig);
//【看到了吗?我在这呢!】
globalConfig.setSqlInjector(new DSqlInjector());
if (!StringUtils.isEmpty(metaObjectHandler))
MetaObjectHandler metaObjectHandlerBean = (MetaObjectHandler) Class.forName(metaObjectHandler).newInstance();
globalConfig.setMetaObjectHandler(metaObjectHandlerBean);
if (!StringUtils.isEmpty(logicDeleteValue))
dbConfig.setLogicDeleteValue(logicDeleteValue);
if (!StringUtils.isEmpty(logicNotDeleteValue))
dbConfig.setLogicNotDeleteValue(logicNotDeleteValue);
if (null != dynamicDataSourceProperties.getGlobalConfig() && null != dynamicDataSourceProperties.getGlobalConfig().getDefaultEnumTypeHandler())
configuration.setDefaultEnumTypeHandler(dynamicDataSourceProperties.getGlobalConfig().getDefaultEnumTypeHandler());
if (!StringUtils.isEmpty(typeEnumsPackage))
sqlSessionFactory.setTypeEnumsPackage(typeEnumsPackage);
if (!StringUtils.isEmpty(typeHandlersPackage))
sqlSessionFactory.setTypeHandlersPackage(typeHandlersPackage);
configuration.setCacheEnabled(false);
sqlSessionFactory.setConfiguration(configuration);
sqlSessionFactory.setGlobalConfig(globalConfig);
// 使分页插件生效
PaginationInterceptor paginationInterceptor = (PaginationInterceptor) SpringCtxUtil.getBean("paginationInterceptor");
if (null != paginationInterceptor)
sqlSessionFactory.setPlugins(new Interceptor[]paginationInterceptor);
// 配置数据源,此处配置为关键配置,如果没有将 dynamicDataSource 作为数据源则不能实现切换
sqlSessionFactory.setDataSource(dynamicDataSource());
// 扫描Model
String typeAliasesPackage = dynamicDataSourceProperties.getTypeAliasesPackage();
if (!StringUtils.isEmpty(typeAliasesPackage))
sqlSessionFactory.setTypeAliasesPackage(typeAliasesPackage);
// 扫描映射文件
String mapperLocations = dynamicDataSourceProperties.getMapperLocations();
if (!StringUtils.isEmpty(mapperLocations))
sqlSessionFactory.setMapperLocations(new PathMatchingResourcePatternResolver().getResources(mapperLocations));
return sqlSessionFactory;
以上是关于mybatis 怎么解决 sql注入的主要内容,如果未能解决你的问题,请参考以下文章