10 MyBatis SQL Injection Vulnerabilities AI Can Catch That Humans Miss

MyBatis is the most popular ORM framework in the Java ecosystem, powering millions of applications. But its flexibility comes with a dangerous gotcha: ${} vs #{} syntax. One is safe, the other is not — and the difference is a single character.

Here are 10 MyBatis SQL injection patterns that slip past human reviewers but an AI code review agent catches instantly.

The Core Problem: ${} vs #{}

1
2
3
4
5
6
7
8
9

<!-- SAFE: #{} uses PreparedStatement parameter binding -->
<select id="findById" resultType="User">
    SELECT * FROM users WHERE id = #{id}
</select>

<!-- VULNERABLE: ${} directly interpolates the string -->
<select id="findById" resultType="User">
    SELECT * FROM users WHERE id = ${id}
</select>

The difference: #{id} generates WHERE id = ? with parameter binding, while ${id} generates WHERE id = 1 OR 1=1 with direct string interpolation.