Fork me on GitHub

ibatis order by 防止sql注入

(1) 排序控制

select TABLE_NAME, TABLESPACE_NAME from user_tables order by TABLE_NAME $ordertype$

Where the user input ordertype ASC, DESC. On this keyword, use the $ordertype: SQLKEYWORD$ replacement $ ordertype $.

(2)排序字段

sql statement metadata. If the sql statement, there is user input metadata. Table name, field names and so on.

For example the following sql:
select TABLE_NAME, TABLESPACE_NAME from user_tables order by $ orderByColumn $.

Which is the field in the database orderByColumn. Of this metadata, use: $ orderByColumn: METADATA $ replacement $ orderByColumn $.

posted @ 2016-09-09 13:35  南田玉彦  阅读(3077)  评论(0编辑  收藏  举报