//根据用户名和pwd查询用户
UserInfo queryUserInfoByUsernameAndPwd(@Param("userName") String userName,@Param("userPwd") String userPwd);
#号
<select id="queryUserInfoByUsernameAndPwd" resultType="UserInfo">
select * from user_info where username=#{userName} and user_password=#{userPwd}
</select>
public static void main( String[] args ) throws Exception{
SqlSession sqlSession = getSqlSession();
UserInfoMapper mapper=sqlSession.getMapper(UserInfoMapper.class);
UserInfo userInfo=mapper.queryUserInfoByUsernameAndPwd("zhangsan","123");
System.out.println(userInfo);
}
发现使用#号用“zhangsan”“123”去对应填充sql中的?
$
<select id="queryUserInfoByUsernameAndPwd" resultType="UserInfo">
select * from user_info where username=${userName} and user_password=${userPwd}
</select>
而使用$符号则使用""里的内容去直接拼接sql语句
需改成
public static void main( String[] args ) throws Exception{
SqlSession sqlSession = getSqlSession();
UserInfoMapper mapper=sqlSession.getMapper(UserInfoMapper.class);
UserInfo userInfo=mapper.queryUserInfoByUsernameAndPwd("'zhangsan'","'123'");
System.out.println(userInfo);
}
但是该方法存在注入问题:
public static void main( String[] args ) throws Exception{
SqlSession sqlSession = getSqlSession();
UserInfoMapper mapper=sqlSession.getMapper(UserInfoMapper.class);
UserInfo userInfo=mapper.queryUserInfoByUsernameAndPwd("'zhangsan' or 1=1","12345");
System.out.println(userInfo);
}
若修改为以上形式,无论密码正确与否都会成功
a or b and c ===> or的优先级小于and ==>a or (b and c)
a为true(username存在)直接查处该user的信息