Mybatis ${} 사용시 SQL Injection 피하기

Java/mybatis

Mybatis ${} 사용시 SQL Injection 피하기

바리새인 2025. 1. 15. 23:00

// Example: Validate column names and operators
List<String> validColumns = Arrays.asList("column1", "column2", "column3");
List<String> validOperators = Arrays.asList("=", "<", ">", "<=", ">=", "like");

for (Map<String, Object> condition : conditions) {
    String column = (String) condition.get("data");
    String operator = (String) condition.get("compare");

    if (!validColumns.contains(column)) {
        throw new IllegalArgumentException("Invalid column: " + column);
    }
    if (!validOperators.contains(operator)) {
        throw new IllegalArgumentException("Invalid operator: " + operator);
    }
}