Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing SQL Injection In Ibatis

Is there anything built into Ibatis that helps prevent SQL Injection attacks? I'm not looking for a list of ways outside of Ibatis to do this, and am just wondering if Ibatis has anything to prevent SQL Injection.

like image 367
stevebot Avatar asked Oct 13 '10 20:10

stevebot


People also ask

How can SQL injection be prevented?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

How do I avoid SQL injection in Mybatis?

In general, you should consider using #{} for string substitution instead of ${} . This is because #{} causes Mybatis to create a preparedStatement which prevents SQLInjection compared to ${} which would inject unmodified string into SQL.

Which JDBC class can help to prevent SQL injection attacks?

To prevent SQL Injection attacks in Java, you must treat user input passed to the SQL queries as untrusted and avoid dynamic SQL queries created using simple string concatenation. If possible, you should validate input against a whitelist and use parametrized queries also known as prepared statements in Java JDBC.


1 Answers

IBatis uses JDBC prepared statements under the hood and is therefore safe. However this only applies if your use the # notation. It's also possible to concat variables directly into your query using the $ notation which is not safe (unless you escape them). See this article for background info.

like image 89
Richard Kettelerij Avatar answered Oct 24 '22 19:10

Richard Kettelerij