0

I need to protect (automatically) requests using String substitution in MyBatis ${myValue).

From what I've seen, the substitution is done automatically in the GenericTokenParser class using the TokenHandler.handleToken method.

I can't find anything about getting a grab on those values. I can access PreparedStatement parameters using 

sqlSession.getConfiguration().getMappedStatement(statement).getBoundSql(parameter).getParameterMappings()

But I really need to retrieve ${} parameters before sending the request to be able to modify the value if needed to protect from SQL Injection.

I though about using AspectJ to intercept the TokenHandler.handleToken method. But I would really prefer to be able to inject my own handler or token parser.

Has someone a clue ?

I'm working on a "framework" for future development, the aim is to have something automatic. Going through the whole parameter object isn't an option (could be heavy), we only want to protect those used in the request before executing it.

Improve this question

1 Answer 1

Reset to default
3

MyBatis has 2 substitution methods. The ${} method does direct string replacement (i.e. property substitution) so it's vulnerable to SQL injection. The #{} method does parameter substitution on a PreparedStatement so it is not vulnerable.

Are you sure you want to be using ${}? Unless you are dynamically building SQL statements, you probably want to use #{}. If you are building dynamic SQL, then you should validate the parameters before loading the MyBatis configuration.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yeah my client absolutely want to be able to use STATEMENT (But also PreparedStatement), using # isn't an option here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.