// MyBatis生成的SQL
String sql = "SELECT * FROM users WHERE id = ?";

// JDBC預(yù)編譯處理
PreparedStatement pstmt = connection.prepareStatement(sql);
pstmt.setInt(1, userId);

<select id="getUser" resultType="User">
    SELECT * FROM users WHERE username = #{username}
</select>

<!-- 危險(xiǎn)示例：存在SQL注入風(fēng)險(xiǎn) -->
<select id="getUser" resultType="User">
    SELECT * FROM users ORDER BY ${columnName}
</select>

<select id="findUsers" resultType="User">
    SELECT * FROM users
    <where>
        <if test="username != null">
            AND username = #{username}
        </if>
        <if test="email != null">
            AND email = #{email}
        </if>
    </where>
</select>

// 安全
@Select("SELECT * FROM users WHERE username = #{username}")
User findByUsername(@Param("username") String username);

// 危險(xiǎn)！存在注入風(fēng)險(xiǎn)
@Select("SELECT * FROM users WHERE username = '${username}'")
User findByUsernameInsecure(@Param("username") String username);

<select id="queryByField" resultType="map">
    SELECT * FROM ${tableName}
    ORDER BY 
    <choose>
        <when test="orderBy == 'name'">name</when>
        <when test="orderBy == 'createTime'">create_time</when>
        <otherwise>id</otherwise>
    </choose>
</select>

public String safeColumnName(String input) {
    // 只允許字母、數(shù)字和下劃線
    if (!input.matches("^[a-zA-Z0-9_]+$")) {
        throw new IllegalArgumentException("Invalid column name");
    }
    return input;
}

<select id="findUsersByIds" resultType="User">
    SELECT * FROM users
    WHERE id IN
    <foreach collection="ids" item="id" open="(" separator="," close=")">
        #{id}
    </foreach>
</select>

<!-- 安全寫法 -->
<select id="searchUsers" resultType="User">
    SELECT * FROM users
    WHERE username LIKE CONCAT('%', #{keyword}, '%')
</select>

<!-- 或者 -->
<select id="searchUsers" resultType="User">
    SELECT * FROM users
    WHERE username LIKE #{pattern}
</select>

@Intercepts({
    @Signature(type= StatementHandler.class, 
              method="parameterize", 
              args=Statement.class)
})
public class SqlInjectionInterceptor implements Interceptor {
    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        // 檢查參數(shù)中的可疑內(nèi)容
        // ...
        return invocation.proceed();
    }
}

// 危險(xiǎn)！
@Select("SELECT * FROM ${tableName} WHERE id = #{id}")
User findById(@Param("tableName") String tableName, @Param("id") Long id);