注入原理 正常sql: select * from example where name = ‘tmriver’注入查询,把tmriver 替换成 tmriver’ or ‘1=1 : 生成的语句就是select * from example where name = ‘tmriver’ or ‘1=1’注入删除,把tmriver 替换成 tmriver’; delete from example where ‘1’=’1 生成的语句就是select * from example where name = ‘tmriver’; delete from example where ‘1’=’1 会多执行一条delete语句。 Java防范 JDBC的PreparedStatement会对字符串里面的引号等特殊字符转义。 tmriver’ or ‘1=1 会被转义成 tmriver\’ or \’1=1。最终sql为select * from example where name = ‘wnj\’ or\’1=1’ 这样就不存在or条件了Mybatis #{}使用PreparedStatement可以防止SQL注入; ${}使用Statement,不能防止SQL注入。Mybatis 排序示例: <if test="orderType == 'a'.toString()">order by name asc, age desc</if> <if test="orderType == 'b'.toString()">order by id asc, age desc</if>