avoid errors/injection in string substitution

Pablo León

unread,

May 15, 2019, 12:59:06 PM5/15/19

to mybatis-user

Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

select * from table where column like '%search_string_entered_by_user%'

Regards,

Pablo.

肖凡

unread,

May 16, 2019, 1:55:11 AM5/16/19

to Pablo León, mybatis-user

Use function concat instead.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

Iwao AVE!

unread,

May 19, 2019, 6:39:56 AM5/19/19

to mybatis-user, Pablo León

Hi Pablo,

You really should not use ${} when the value is provided by users. ☢️

There are several approaches and using 'concat' or '||' is one of them.

https://github.com/mybatis/mybatis-3/wiki/FAQ#how-do-i-code-an-sql-like

Regards,

Iwao

To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com.

Reply all

Reply to author

Forward