mybatis-user

avoid errors/injection in string substitution

Classic

List

Threaded

3 messages Options

Pablo León

avoid errors/injection in string substitution

Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

select * from table where column like '%search_string_entered_by_user%'

Regards,

Pablo.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

肖凡

Re: avoid errors/injection in string substitution

Use function concat instead.

On 05/16/2019 00:59, [hidden email] wrote:

Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

select * from table where column like '%search_string_entered_by_user%'

Regards,

Pablo.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com.

Iwao AVE!

Re: avoid errors/injection in string substitution

Hi Pablo,

You really should not use ${} when the value is provided by users. ☢️

There are several approaches and using 'concat' or '||' is one of them.

https://github.com/mybatis/mybatis-3/wiki/FAQ#how-do-i-code-an-sql-like

Regards,

Iwao

On Thu, May 16, 2019 at 2:55 PM 肖凡 <[hidden email]> wrote:

Use function concat instead.

On 05/16/2019 00:59, [hidden email] wrote:

Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

select * from table where column like '%search_string_entered_by_user%'

Regards,

Pablo.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CA%2Buep2Ty2G7gyGnzvqJgb-1QnkHdgz1zHMXZfDGusXfEGSFa%2Bw%40mail.gmail.com.