forked from whgojp/JavaSecLab
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSqliMapper.xml
More file actions
88 lines (79 loc) · 3.63 KB
/
SqliMapper.xml
File metadata and controls
88 lines (79 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="top.whgojp.modules.sqli.mapper.SqliMapper">
<resultMap id="BaseResultMap" type="top.whgojp.modules.sqli.entity.Sqli">
<id property="id" column="id" jdbcType="INTEGER"/>
<result property="username" column="username" jdbcType="VARCHAR"/>
<result property="password" column="password" jdbcType="VARCHAR"/>
</resultMap>
<sql id="Base_Column_List">
id,username,password
</sql>
<!-- 自定义mapper增删改查方法
#{value} 在预处理时,会把参数部分用一个占位符 ? 替代,其中 value 表示接受输入参数的名称。能有效解决 SQL 注入问题
${value} 表示使用拼接字符串,将接受到参数的内容不加任何修饰符拼接在 SQL 中,使用${}拼接 sql,将引起 SQL 注入问题。
-->
<insert id="customInsert">
insert into sqli (id,username,password) values (#{id,jdbcType=INTEGER},#{username,jdbcType=VARCHAR},#{password,jdbcType=VARCHAR})
</insert>
<delete id="customDelete">
delete from sqli where id = #{id,jdbcType=INTEGER}
</delete>
<!-- <update id="customUpdate">-->
<!-- update sqli set username = #{username,jdbcType=VARCHAR},password=#{password,jdbcType=VARCHAR} where id = #{id,jdbcType=INTEGER}-->
<!-- </update>-->
<!-- <select id="customSelect" resultType="top.whgojp.modules.sqli.entity.Sqli">-->
<!-- select * from sqli where id = #{id,jdbcType=INTEGER}-->
<!-- </select>-->
<!-- Order by下的${}拼接注入问题-->
<select id="orderByVul" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli
<if test="field != null and field != ''">
ORDER BY ${field}
</if>
</select>
<!-- Order by下的#{}写法 排序不生效-->
<select id="orderByPrepareStatement" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli
<if test="field != null and field != ''">
ORDER BY #{field}
</if>
</select>
<!-- Order by下的安全写法 白名单-->
<select id="orderByWriteList" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli
<if test="field != null and field != ''">
<choose>
<!-- 排序列名白名单 -->
<when test="field == 'id' or field == 'username' or field == 'password'">
ORDER BY ${field}
</when>
<otherwise>
<!-- 默认使用id进行排序 -->
ORDER BY id
</otherwise>
</choose>
</if>
</select>
<!-- 模糊查询-->
<select id="likeVul" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli WHERE username LIKE '%${keyword}%'
</select>
<select id="likePrepareStatement" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli WHERE username LIKE CONCAT('%', #{keyword}, '%')
</select>
<select id="inVul" resultType="top.whgojp.modules.sqli.entity.Sqli">
select * from sqli where id in (${id})
</select>
<select id="inPrepareStatement" resultType="top.whgojp.modules.sqli.entity.Sqli">
select * from sqli where id in (#{id})
</select>
<select id="inSafeForeach" resultType="top.whgojp.modules.sqli.entity.Sqli">
SELECT * FROM sqli WHERE id IN
<foreach collection="scope" item="id" open="(" separator="," close=")">
#{id}
</foreach>
</select>
</mapper>