check input for SQL-Injection with Mybatis

I’d like to check my input string for potential SQL-Injection.

Here is my class, method and query:

public class UserNamesQuery {

   public static String getUserNames(Map<String, Object> params) {
       String userNames = (String) params.get("userNames");
       return "SELECT * FROM users WHERE name IN (" + userNames + ") ";
   }

}

Is there a tool or a quick way to validate that userNames is without SQL-Injection?

Notice that I use Mybatis

Answer

No. There is no way. And no need.

To be frank, there is no such thing like “SQL injection”. There is only an exploit of improperly formatted query.

So, instead of hunting down whatever “injections” you have to format your queries properly, by means of using prepared statements.

Any data, depends on context, could be either a potential injection or a harmless chunk of text. So, with whatever filtering function there will be too much false positives. Worse yet, whatever filtering is a “black list” implementation, means it will always be incomplete – it’s just impossible to filter out all the codes used to exploit an injection.

On the other hand, prepared statement is a relatively simple solution that will be immune to any type of injection without even knowing them. Just because it won’t let the data to interfere with the query.

Leave a Reply

Your email address will not be published. Required fields are marked *