Menu
Is there anything built into Ibatis that helps prevent SQL Injection attacks? I'm not looking for a list of ways outside of Ibatis to do this, and am just wondering if Ibatis has anything to prevent SQL Injection.
367
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
In general, you should consider using #{} for string substitution instead of ${} . This is because #{} causes Mybatis to create a preparedStatement which prevents SQLInjection compared to ${} which would inject unmodified string into SQL.
To prevent SQL Injection attacks in Java, you must treat user input passed to the SQL queries as untrusted and avoid dynamic SQL queries created using simple string concatenation. If possible, you should validate input against a whitelist and use parametrized queries also known as prepared statements in Java JDBC.
IBatis uses JDBC prepared statements under the hood and is therefore safe. However this only applies if your use the # notation. It's also possible to concat variables directly into your query using the $ notation which is not safe (unless you escape them). See this article for background info.
89
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
