在使用 Mybatis 时,取值时,应尽量使用 # 取值,因为当使用 $ 取值时,会出现SQL注入的风险。
比如下面的登录校验语句,如果用户名输入 '' or 1=1 #
,可以实现SQL注入
<select id="getUserByNameAndPwd" resultType="com.cry.mall.entity.User">
select *
from c_user
where user_name = ${userName} and password = ${password}
</select>
查询语句取值后会变成:
select *
from c_user
where user_name = '' or 1=1 # and password = 'xxx'
换行导致无法SQL注入
但是,当 and 变成换行时,无法实现SQL注入
<select id="getUserByNameAndPwd" resultType="com.cry.mall.entity.User">
select *
from c_user
where user_name = ${userName}
and password = ${password}
</select>
因为 # 没有注释掉and语句,查询语句取值后会变成:
select *
from c_user
where user_name = '' or 1=1 #
and password = 'xxx'