Mybatis on JavaDev AI - Java + AI in Practicehttps://en.nykjsd.cn/tags/mybatis/Recent content in Mybatis on JavaDev AI - Java + AI in PracticeHugoen-us© 2026 JavaDev AI. All rights reserved.Thu, 25 Jun 2026 00:00:00 +000010 MyBatis SQL Injection Vulnerabilities AI Can Catch That Humans Misshttps://en.nykjsd.cn/10-mybatis-sql-injection-vulnerabilities-ai-can-catch-that-humans-miss/Thu, 25 Jun 2026 00:00:00 +0000https://en.nykjsd.cn/10-mybatis-sql-injection-vulnerabilities-ai-can-catch-that-humans-miss/<p>MyBatis is the most popular ORM framework in the Java ecosystem, powering millions of applications. But its flexibility comes with a dangerous gotcha: <strong><code>${}</code> vs <code>#{}</code></strong> syntax. One is safe, the other is not — and the difference is a single character.</p> <p>Here are 10 MyBatis SQL injection patterns that slip past human reviewers but an AI code review agent catches instantly.</p> <h2 id="the-core-problem--vs-">The Core Problem: <code>${}</code> vs <code>#{}</code></h2> <div class="highlight"><div style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">8 </span><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">9 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#75715e">&lt;!-- SAFE: #{} uses PreparedStatement parameter binding --&gt;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;select</span> <span style="color:#a6e22e">id=</span><span style="color:#e6db74">&#34;findById&#34;</span> <span style="color:#a6e22e">resultType=</span><span style="color:#e6db74">&#34;User&#34;</span><span style="color:#f92672">&gt;</span> </span></span><span style="display:flex;"><span> SELECT * FROM users WHERE id = #{id} </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/select&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">&lt;!-- VULNERABLE: ${} directly interpolates the string --&gt;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;select</span> <span style="color:#a6e22e">id=</span><span style="color:#e6db74">&#34;findById&#34;</span> <span style="color:#a6e22e">resultType=</span><span style="color:#e6db74">&#34;User&#34;</span><span style="color:#f92672">&gt;</span> </span></span><span style="display:flex;"><span> SELECT * FROM users WHERE id = ${id} </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/select&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>The difference: <code>#{id}</code> generates <code>WHERE id = ?</code> with parameter binding, while <code>${id}</code> generates <code>WHERE id = 1 OR 1=1</code> with direct string interpolation.</p>