关于 SQL 注入的防范,个人认为最可靠的方式还是使用 PreparedStatement,对于替换表名、列名等元数据字符串的场景,使用白名单对填入的值进行严格控制再传入。
在 MyBatis 的 官方文档 中,就对 ${} 的使用进行了如下提示:
It’s not safe to accept input from a user and supply it to a statement unmodified in this way. This leads to potential SQL Injection attacks and therefore you should either disallow user input in these fields, or always perform your own escapes and checks.
Reference
PreparedStatement
如何避免出现SQL注入漏洞
SQL Injection Prevention - OWASP Cheat Sheet Series
mybatis – MyBatis 3 | Mapper XML Files