Comments (5)
PreparedStatement
PreparedStatement是否支持所有数据库?对string类型的Args作一下特别处理的话,你有木有好的实现方案,同时尽量不降低性能
from gomybatis.
select * from biz_activity where delete_flag = 1 and name = 'hello'
SQLite就不支持PreparedStatement 好像php的话就模拟实现了一个预处理,具体实现的算法如果你有方案的话,欢迎提交代码~~
from gomybatis.
1)平时主要用MySQL,简单看了下mysql、tidb、sqlite(mattn版)应该都是支持 preparedStatement的;
2)关于实现preparedStatement,估计改动不小【在参考tidb的源码https://github.com/pingcap/tidb/blob/06629d6ac47cfa3be37b14d1b80efcb7b753a305/session/session.go】,更重要的是,反射方面跟不上作者项背;
3)buildSql()里对注入作字符过滤并处理的实现方式,虽不完美但简单;后面会抽时间尝试实现这种方式。
from gomybatis.
1)平时主要用MySQL,简单看了下mysql、tidb、sqlite(mattn版)应该都是支持 preparedStatement的;
2)关于实现preparedStatement,估计改动不小【在参考tidb的源码https://github.com/pingcap/tidb/blob/06629d6ac47cfa3be37b14d1b80efcb7b753a305/session/session.go】,更重要的是,反射方面跟不上作者项背;
3)buildSql()里对注入作字符过滤并处理的实现方式,虽不完美但简单;后面会抽时间尝试实现这种方式。
若是能代码层实现preparedStatement 那就完美了
from gomybatis.
测试方法:
执行Example_test.go中TestSelectTemplete 测试;
运行测试[不注入]:
var result, err = exampleActivityMapper.SelectTemplete("hello")
所得结果:
=== RUN TestSelectTemplete 2019/09/07 18:13:52 [GoMybatis] [bbb4b0b9-1366-4475-9c96-185ed12366b8] Query ==> select * from biz_activity where delete_flag = 1 and name = 'hello' 2019/09/07 18:13:52 [GoMybatis] [bbb4b0b9-1366-4475-9c96-185ed12366b8] Close session 2019/09/07 18:13:52 [GoMybatis] [bbb4b0b9-1366-4475-9c96-185ed12366b8] ReturnRows <== 1 result= [{167 hello ceshi 3 0001-01-01 00:00:00 +0000 UTC 0}] --- PASS: TestSelectTemplete (0.00s)
运行测试[注入]:
`
var result, err = exampleActivityMapper.SelectTemplete("hello' OR 'A'!='")
**所得结果**:
=== RUN TestSelectTemplete
2019/09/07 17:58:23 [GoMybatis] [72d49711-1f09-4cfe-a298-acbef3872781] Query ==> select * from biz_activity where delete_flag = 1 and name = 'hello' OR 'A'!=''
2019/09/07 17:58:23 [GoMybatis] [72d49711-1f09-4cfe-a298-acbef3872781] Close session
2019/09/07 17:58:23 [GoMybatis] [72d49711-1f09-4cfe-a298-acbef3872781] ReturnRows <== 7
result= [{165 安利一波大表哥 ceshi 1 0001-01-01 00:00:00 +0000 UTC 0} {166 注册送好礼 测试 2 0001-01-01 00:00:00 +0000 UTC 0} {167 hello ceshi 3 0001-01-01 00:00:00 +0000 UTC 0} {168 rs168 4 0001-01-01 00:00:00 +0000 UTC 0} {169 rs168 5 0001-01-01 00:00:00 +0000 UTC 0} {170 rs168-8 6 0001-01-01 00:00:00 +0000 UTC 0} {171 rs168 0 0001-01-01 00:00:00 +0000 UTC 0}]
--- PASS: TestSelectTemplete (0.01s)
`注:这两天终于有空来学习您的源码,收获不少,特别感谢;感觉这个SQL注入风险主要是引起原因是以字符中形式直接拼SQL所至,可在session, sql, err = buildSql(proxyArg, nodes, sessionEngine.SqlBuilder())过程中对string类型的Args作一下特别处理,当然也可以参照java mybatis
那样采用先PreparedStatement,然后再传参执行。
最新版本v6.0.0 全面使用prepared sql,使用数据库预编译sql。这样就完美解决sql注入问题 。
from gomybatis.
Related Issues (20)
- select sql resultMap 不起作用 HOT 2
- 在使用postgres数据时出现错 HOT 11
- Error 1390: Prepared stat ement contains too many placeholders HOT 4
- <where> bug HOT 15
- 对类似rollback这样的功能怎么通过框架实现呢? HOT 1
- mapper文件中result不支持property设置? HOT 1
- 有一对多映射功能吗? HOT 20
- 多数据源如何使用 HOT 1
- 支持1对n映射了吗
- Insert方法是InsertTemplete还是InsertTemplate?
- Insert方法是InsertTemplete还是InsertTemplate?
- sql中的 #{key}获取不到
- 好久不更新了,有点不敢用啊 HOT 4
- bug
- 作者你好,打扰了 HOT 3
- 你好,数据库中null值如何解决?
- 分页插件 HOT 2
- 请问大神,使用struct传参,xml中的动态表达式能获取匿名继承的属性吗?好像不能取到 HOT 2
- 作者你好,有没有计划加入泛型的使用,mapper 和 service ,就和java的 mybatisplus 通过继承的方式一样 HOT 1
- xml与struct绑定优化建议
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gomybatis.