【学习】017 Mybatis框架

一、目标

Mybatis介绍

Mybatis增删改查

SQL注入问题介绍

Mybatis xml与注解实现

Mybatis分页

二、Mybatis快速入门

2.1 Mybatis介绍

MyBatis是支持普通SQL查询存储过程高级映射的优秀持久层框架。MyBatis消除了几乎所有的JDBC代码和参数的手工设置以及对结果集的检索封装。MyBatis可以使用简单的XML或注解用于配置和原始映射,将接口和Java的POJO(Plain Old Java Objects,普通的Java对象)映射成数库中的记录.JDBC ->MyBatis

2.2 Mybatis环境搭建

2.2.1添加Maven依赖

    <dependencies>
        <!-- https://mvnrepository.com/artifact/org.mybatis/mybatis -->
        <dependency>
            <groupId>org.mybatis</groupId>
            <artifactId>mybatis</artifactId>
            <version>3.4.4</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.21</version>
        </dependency>
    </dependencies>

2.2.2建表

CREATE TABLE users(id INT PRIMARY KEY AUTO_INCREMENT, name VARCHAR(20), age INT);
INSERT INTO users(name, age) VALUES('Tom', 12);
INSERT INTO users(name, age) VALUES('Jack', 11);

2.2.3添加mybatis配置文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "http://mybatis.org/dtd/mybatis-3-config.dtd">
<configuration>
    <environments default="development">
        <environment id="development">
            <transactionManager type="JDBC" />
            <dataSource type="POOLED">
                <property name="driver" value="com.mysql.jdbc.Driver" />
                <property name="url" value="jdbc:mysql://localhost:23306/mydatabase" />
                <property name="username" value="root" />
                <property name="password" value="master" />
            </dataSource>
        </environment>
    </environments>
</configuration>

2.2.4定义表的实体类

package com.hongmoshui.mybatis.entity;

public class User
{
    private int id;

    private String name;

    private int age;

    public int getId()
    {
        return id;
    }

    public void setId(int id)
    {
        this.id = id;
    }

    public String getName()
    {
        return name;
    }

    public void setName(String name)
    {
        this.name = name;
    }

    public int getAge()
    {
        return age;
    }

    public void setAge(int age)
    {
        this.age = age;
    }

}

2.2.5定义userMapper接口

package com.hongmoshui.mybatis.mapper;

import com.hongmoshui.mybatis.entity.User;

public interface UserMapper
{
    public User getUser(int id);

    public Integer addUser(String name, int age);

    public Integer delUser(int id);
}

2.2.6定义操作users表的sql映射文件userMapper.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.hongmoshui.mybatis.mapper.UserMapper">
    <select id="getUser" parameterType="int"
        resultType="com.hongmoshui.mybatis.entity.User">
        SELECT * FROM users where id =#{id}
    </select>
    <insert id="addUser"
        parameterType="com.hongmoshui.mybatis.entity.User">
        INSERT INTO users(name, age) VALUES(#{name}, #{age});
    </insert>
    <delete id="delUser" parameterType="int">
        delete from users where id=#{id}
    </delete>

</mapper>

2.2.7mybatis.xml文件中加载配置文件

    <mappers>
        <mapper resource="mapper/userMapper.xml" />
    </mappers>

2.2.8mybatis测试方法

package com.hongmoshui.mybatis;

import java.io.IOException;
import java.io.Reader;

import org.apache.ibatis.io.Resources;
import org.apache.ibatis.session.SqlSession;
import org.apache.ibatis.session.SqlSessionFactory;
import org.apache.ibatis.session.SqlSessionFactoryBuilder;

import com.hongmoshui.mybatis.entity.User;

public class TestMybatis
{
    public static void main(String[] args) throws IOException
    {
        String resource = "mybatis.xml";
        // 读取配置文件
        Reader reader = Resources.getResourceAsReader(resource);
        // 获取会话工厂
        SqlSessionFactory sqlSessionFactory = new SqlSessionFactoryBuilder().build(reader);
        SqlSession openSession = sqlSessionFactory.openSession();
        addUser(openSession);
        delUser(openSession);
        getUser(openSession);
    }

    private static void getUser(SqlSession openSession)
    {
        // 查询
        String sql = "com.hongmoshui.mybatis.mapper.UserMapper.getUser";
        // 参数id
        int id = 1;
        // 调用api查询
        User user = openSession.selectOne(sql, id);
        System.out.println(user.toString());
    }

    private static void addUser(SqlSession openSession)
    {
        // 新增SQL
        String sql = "com.hongmoshui.mybatis.mapper.UserMapper.addUser";
        // 调用api查询
        User user = new User();
        user.setAge(19);
        user.setName("hongmoshui");
        int reuslt = openSession.insert(sql, user);
        openSession.commit();
        System.out.println(reuslt);

    }

    private static void delUser(SqlSession openSession)
    {
        // 删除SQL
        String sql = "com.hongmoshui.mybatis.mapper.UserMapper.delUser";
        // 调用api查询
        int id = 2;
        int reuslt = openSession.insert(sql, id);
        openSession.commit();
        System.out.println(reuslt);

    }
}

三、sql注入案例

3.1创建表+测试数据

create table user_table(  
    id      int Primary key,  
    username    varchar(30),  
    password    varchar(30)  
);  
insert into user_table values(1,'hongmoshui-1','12345');  
insert into user_table values(2,'hongmoshui-2','12345');  

3.2 jdbc进行加载

package com.hongmoshui.mybatis;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestSQL
{
    public static void main(String[] args) throws ClassNotFoundException, SQLException
    {
        String username = "hongmoshui-1";
        String password = "12345";
        String sql = "SELECT id,username FROM user_table WHERE " + "username='" + username + "'AND " + "password='" + password + "'";
        Class.forName("com.mysql.jdbc.Driver");
        Connection con = DriverManager.getConnection("jdbc:mysql://localhost:23306/mydatabase", "root", "master");
        PreparedStatement stat = con.prepareStatement(sql);
        System.out.println(stat.toString());
        ResultSet rs = stat.executeQuery();
        while (rs.next())
        {
            String id = rs.getString(1);
            String name = rs.getString(2);
            System.out.println("id:" + id + ",name:" + name);
        }
    }
    
}

3.3将username的值设置为

username='  OR 1=1 -- 或者username or 1='1

因为--表示SQL注释,因此后面语句忽略;

因为1=1恒成立,因此 username='' OR 1=1  恒成立,因此SQL语句等同于:

SELECT id,username FROM user_table

3.4sql注入解决办法

第一步:编译sql 

第二步:执行sql

优点:能预编译sql语句

package com.hongmoshui.mybatis;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestSQL
{
    public static void main(String[] args) throws ClassNotFoundException, SQLException
    {
        Class.forName("com.mysql.jdbc.Driver");
        Connection con = DriverManager.getConnection("jdbc:mysql://localhost:23306/mydatabase", "root", "master");
        // 无注入情况
        String username1 = "hongmoshui-1";
        String password1 = "12345";
        String sql1 = "SELECT id,username FROM user_table WHERE " + "username='" + username1 + "'AND " + "password='" + password1 + "'";
        selectNoInjection(con, username1, password1, sql1);
        // 注入,但是有预编译
        String username2 = "username='  OR 1=1 -- ";
        String password2 = "12345";
        String sql2 = "SELECT id,username FROM user_table WHERE username=? AND password=?";
        selectInjection(con, username2, password2, sql2);

    }

    private static void selectInjection(Connection con, String username, String password, String sql) throws SQLException
    {
        PreparedStatement stat = con.prepareStatement(sql);
        stat.setString(1, username);
        stat.setString(2, password);
        System.out.println(stat.toString());
        ResultSet rs = stat.executeQuery();
        while (rs.next())
        {
            String id = rs.getString(1);
            String name = rs.getString(2);
            System.out.println("id:" + id + "---name:" + name);
        }
    }

    private static void selectNoInjection(Connection con, String username, String password, String sql) throws ClassNotFoundException, SQLException
    {
        PreparedStatement stat = con.prepareStatement(sql);
        System.out.println(stat.toString());
        ResultSet rs = stat.executeQuery();
        while (rs.next())
        {
            String id = rs.getString(1);
            String name = rs.getString(2);
            System.out.println("id:" + id + ",name:" + name);
        }
    }

}

3.4 mybatis中#与$区别

动态 sql 是 mybatis 的主要特性之一,在 mapper 中定义的参数传到 xml 中之后,在查询之前 mybatis 会对其进行动态解析。mybatis 为我们提供了两种支持动态 sql 的语法:#{} 以及 ${}。

在下面的语句中,如果 username 的值为 zhangsan,则两种方式无任何区别:

select * from user where name = #{name};
select * from user where name = ${name};

其解析之后的结果均为

select * from user where name = 'zhangsan';

但是 #{} 和 ${} 在预编译中的处理是不一样的。#{} 在预处理时,会把参数部分用一个占位符 ? 代替,变成如下的 sql 语句:

select * from user where name = ?;

而 ${} 则只是简单的字符串替换,在动态解析阶段,该 sql 语句会被解析成

select * from user where name = 'zhangsan';

以上,#{} 的参数替换是发生在 DBMS 中,而 ${} 则发生在动态解析过程中。

那么,在使用过程中我们应该使用哪种方式呢?

答案是,优先使用 #{}。因为 ${} 会导致 sql 注入的问题。看下面的例子:

 select * from ${tableName} where name = #{name}

在这个例子中,如果表名为

 user; delete user; -- 

  则动态解析之后 sql 如下:

select * from user; delete user; -- where name = ?;

  --之后的语句被注释掉,而原本查询用户的语句变成了查询所有用户信息+删除用户表的语句,会对数据库造成重大损伤,极大可能导致服务器宕机。

但是表名用参数传递进来的时候,只能使用 ${} ,具体原因可以自己做个猜测,去验证。这也提醒我们在这种用法中要小心sql注入的问题。

3.4.1创建UserTable

package com.hongmoshui.mybatis;

public class UserTable
{
    private int id;

    private String userName;

    private String passWord;

    public int getId()
    {
        return id;
    }

    public void setId(int id)
    {
        this.id = id;
    }

    public String getUserName()
    {
        return userName;
    }

    public void setUserName(String userName)
    {
        this.userName = userName;
    }

    public String getPassWord()
    {
        return passWord;
    }

    public void setPassWord(String passWord)
    {
        this.passWord = passWord;
    }

}

3.4.2创建UserTableMapper

package com.hongmoshui.mybatis.mapper;

import com.hongmoshui.mybatis.UserTable;

public interface UserTableMapper
{
    public UserTable login(UserTable userTable);
}

3.4.3userTableMapper.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.hongmoshui.mybatis.mapper.UserTableMapper">
    <select id="login"
        parameterType="com.hongmoshui.mybatis.UserTable"
        resultType="com.hongmoshui.mybatis.UserTable">
        SELECT id ,username as userName FROM user_table WHERE
        username=${userName} AND password=${passWord}
    </select>

</mapper>

3.4.4 mybatis.xml文件中加载配置文件

    <mappers>
        <!-- <mapper resource="mapper/userMapper.xml" /> -->
        <mapper resource="mapper/userTableMapper.xml" />
    </mappers>

3.4.5 测试SQL注入

package com.hongmoshui.mybatis;

import java.io.IOException;
import java.io.Reader;
import java.sql.SQLException;
import java.util.List;

import org.apache.ibatis.io.Resources;
import org.apache.ibatis.session.SqlSession;
import org.apache.ibatis.session.SqlSessionFactory;
import org.apache.ibatis.session.SqlSessionFactoryBuilder;

public class TestLoginMybatis3
{

    public static void main(String[] args) throws IOException, SQLException, ClassNotFoundException
    {

        String resource = "mybatis.xml";
        // 读取配置文件
        Reader reader = Resources.getResourceAsReader(resource);
        // 获取会话工厂
        SqlSessionFactory sqlSessionFactory = new SqlSessionFactoryBuilder().build(reader);
        SqlSession openSession = sqlSessionFactory.openSession();
        // 查询
        String sql = "com.hongmoshui.mybatis.mapper.UserTableMapper.login";
        // 调用api查询
        UserTable userTable = new UserTable();
        userTable.setUserName("''  OR 1=1 -- ");
        userTable.setPassWord("12345");
        List<UserTable> listUserTable = openSession.selectList(sql, userTable);
        for (UserTable ub : listUserTable)
        {
            System.out.println(ub.getUserName());
        }
    }
}

3.4.6 总结

优先使用 #{}。因为 ${} 会导致 sql 注入的问题

一、Mybatis 注解使用

Mybatis提供了增删改查注解、@select @delete @update

4.1 建立注解Mapper

package com.hongmoshui.mybatis.mapper;

import org.apache.ibatis.annotations.Param;
import org.apache.ibatis.annotations.Select;

import com.hongmoshui.mybatis.UserTable;

public interface UserTestMapper {
    @Select("select * from user_table where id = ${id};")
    public UserTable getUser(@Param("id") int id);
}

4.2 加入mybatis.xml

    <mappers>
        <!-- <mapper resource="mapper/userMapper.xml" />
        <mapper resource="mapper/userTableMapper.xml" /> -->
        <mapper class="com.hongmoshui.mybatis.mapper.UserTestMapper" />
    </mappers>

4.3 运行测试

package com.hongmoshui.mybatis;
import java.io.IOException;
import java.io.Reader;
import org.apache.ibatis.io.Resources;
import org.apache.ibatis.session.SqlSession;
import org.apache.ibatis.session.SqlSessionFactory;
import org.apache.ibatis.session.SqlSessionFactoryBuilder;
import com.hongmoshui.mybatis.mapper.UserTestMapper;

public class TestMybatis3
{
    public static void main(String[] args) throws IOException
    {
        String resource = "mybatis.xml";
        // 读取配置文件
        Reader reader = Resources.getResourceAsReader(resource);
        // 获取会话工厂
        SqlSessionFactory sqlSessionFactory = new SqlSessionFactoryBuilder().build(reader);
        SqlSession openSession = sqlSessionFactory.openSession();
        // 调用api查询
        UserTestMapper userTestMapper = openSession.getMapper(UserTestMapper.class);
        System.out.println(userTestMapper.getUser(2));
    }
}

 

posted @ 2019-06-07 18:10  洪墨水  阅读(202)  评论(0编辑  收藏  举报