Method, device and storage medium for preventing injection attack SQL generation

By rewriting the query method in the Mybatis framework to a setSort sorting method and using ThreadLocal variables to generate SQL that prevents injection attacks, the problem of SQL injection attacks in the mapper mapping file was solved, achieving the effect of preventing injection attacks with only minor code modifications.

CN116541830BActive Publication Date: 2026-06-30CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD
Filing Date
2022-01-25
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

The existing mapper mapping files in the Mybatis framework are prone to SQL injection attacks when passing values ​​using #{} and ${}, and modifying system functional modules to avoid injection attacks requires large-scale retesting.

Method used

By overriding the inherited parent class of query conditions, the original query methods in the system are uniformly converted into the setSort sorting method, and the ThreadLocal thread-local variable and the preset sorting utility class are used to generate the final SQL that prevents injection attacks.

Benefits of technology

With minor modifications to the original code, SQL was generated to prevent SQL injection attacks, thus solving the SQL injection attack problem while maintaining the original sorting functionality.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116541830B_ABST
    Figure CN116541830B_ABST
Patent Text Reader

Abstract

This application relates to the fields of IT and software development technology, and provides a method, apparatus, device, and storage medium for generating SQL to prevent injection attacks. The method includes: determining a target mapping file and query conditions; determining a parent class in the target mapping file based on the query conditions; rewriting a preset query method in the parent class; converting all sorting associated with the preset query method in the target mapping file into a `setSort` sorting method of a preset sorting utility class; and sorting the target mapping file using the `setSort` sorting method to generate the final SQL to prevent injection attacks. The SQL generation method for preventing injection attacks provided in this application solves the SQL injection attack problem by uniformly converting the original query methods in the system into `setSort` sorting methods, generating the final SQL to prevent injection attacks with only minor modifications to the original sorting code.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the fields of IT and software development technology, and in particular to a method, apparatus, device and storage medium for generating SQL to prevent injection attacks. Background Technology

[0002] Most existing Java projects primarily use the Mybatis framework. The Mybatis framework uses mapper mapping files to store the SQL statements for manipulating database tables. These mapper mapping files are XML configuration files that provide XML elements such as select, insert, update, and delete, corresponding to database operations like querying, inserting, modifying, and deleting, respectively. When an API call is made, the Mybatis framework retrieves the corresponding mapper mapping file and executes the SQL statements within it.

[0003] Meanwhile, the mapper file offers two value passing methods: #{} and ${}. #{} treats the input value as a string, while ${} directly displays the input data and generates an SQL statement. If #{} is used, and the value is parsed as `order by '...'`, the SQL statement will immediately throw an error. If ${} is used, it could be exploited by attackers to create an SQL injection vulnerability.

[0004] To avoid the #{} and ${} passing methods mentioned above, the query SQL for the corresponding operation can be modified during the implementation of specific business logic, directly writing the sorting field instead of using #{} and ${}. However, some functions require switching the sorting field based on user actions, so this method cannot be used. Moreover, if the above sorting is added to all executed SQL for the completed system functional modules, the entire system would need to be retested for each functional point, resulting in a large amount of modification. Summary of the Invention

[0005] This application provides a method, apparatus, device, and storage medium for generating SQL to prevent injection attacks, thereby solving the SQL injection attack problem with only minor modifications to the original code.

[0006] Firstly, this application provides a method for generating SQL to prevent injection attacks, including:

[0007] Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions;

[0008] The preset query method in the inherited parent class is overridden, and all sorting associated with the preset query method in the target mapping file is converted into the setSort sorting method of the preset sorting utility class;

[0009] The target mapping file is sorted using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0010] In one embodiment, sorting the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks includes:

[0011] The sorting parameter is passed to the sort parameter through the setSort sorting method, and the sort parameter is passed to a thread-local variable through the preset sorting utility class;

[0012] The current SQL being executed in the target mapping file is determined by a preset sorting plugin, and the sort parameter in the thread local variable is concatenated to the current SQL being executed to generate the final SQL that prevents injection attacks.

[0013] Before determining the target mapping file and query conditions, and before determining the inherited parent class in the target mapping file based on the query conditions, the method further includes:

[0014] The original mapping file is determined, and all sorting operations using a preset value passing method in the original mapping file are deleted using regular expressions to obtain the target mapping file.

[0015] After determining the target mapping file and query conditions, and determining the inherited parent class in the target mapping file based on the query conditions, the process further includes...

[0016] The system's original sorting fields in the target mapping file are converted into sorting parameters using a preset sorting plugin.

[0017] After sorting the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks, the process further includes:

[0018] Remove the sort parameter from the thread-local variable from the finally statement that ultimately prevents SQL injection attacks.

[0019] Secondly, this application also provides an SQL generation device for preventing injection attacks, comprising:

[0020] The determination module is used to determine the target mapping file and query conditions, and to determine the inherited parent class in the target mapping file based on the query conditions;

[0021] The rewrite conversion module is used to rewrite the preset query method in the inherited parent class, and convert all sorting associated with the preset query method in the target mapping file into the setSort sorting method of the preset sorting utility class;

[0022] The sorting generation module is used to sort the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0023] In one embodiment, the sorting generation module is further configured to:

[0024] The sorting parameter is passed to the sort parameter through the setSort sorting method, and the sort parameter is passed to a thread-local variable through the preset sorting utility class;

[0025] The current SQL being executed in the target mapping file is determined by a preset sorting plugin, and the sort parameter in the thread local variable is concatenated to the current SQL being executed to generate the final SQL that prevents injection attacks.

[0026] The SQL generation device for preventing injection attacks also includes:

[0027] The deletion module is used to determine the original mapping file and delete all sorting methods using a preset value passing method in the original mapping file through regular expressions to obtain the target mapping file.

[0028] Thirdly, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the SQL generation method for preventing injection attacks described in the first aspect.

[0029] Fourthly, this application also provides a computer-readable storage medium comprising a computer program that, when executed by the processor, implements the steps of the SQL generation method for preventing injection attacks described in the first aspect.

[0030] Fifthly, this application also provides a computer program product, the computer program product comprising a computer program, which, when executed by the processor, implements the steps of the SQL generation method for preventing injection attacks described in the first aspect.

[0031] The SQL injection prevention SQL generation method, apparatus, device, and computer program product provided in this application generate the final SQL injection prevention SQL by rewriting the inherited parent class of the query conditions and uniformly converting the original query method in the system into the setSort sorting method. Only the query method code is modified, and other code is not modified. Therefore, the final SQL injection prevention SQL is generated with only minor modifications to the original sorting code, realizing the original sorting function and solving the SQL injection attack problem. Attached Figure Description

[0032] To more clearly illustrate the technical solutions of this application, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0033] Figure 1 This is a flowchart illustrating the SQL generation method for preventing injection attacks provided in this application;

[0034] Figure 2 This is a schematic diagram of the SQL generation device for preventing injection attacks provided in this application;

[0035] Figure 3 This is a schematic diagram of the structure of the electronic device provided in this application. Detailed Implementation

[0036] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0037] Specifically, in combination Figures 1 to 3 This application describes the SQL generation method, apparatus, device, and computer program product for preventing SQL injection attacks. Figure 1 This is a flowchart illustrating the SQL generation method for preventing injection attacks provided in this application; Figure 2 This is a schematic diagram of the SQL generation device for preventing injection attacks provided in this application; Figure 3 This is a schematic diagram of the structure of the electronic device provided in this application.

[0038] This application provides an embodiment of a SQL generation method to prevent injection attacks. It should be noted that although the logical order is shown in the flowchart, under certain data conditions, the steps shown or described may be performed in a different order than that shown here.

[0039] This application uses an electronic device as the execution subject for example, and uses an SQL generation system as one of the manifestations of the electronic device, without limitation.

[0040] Explanation of terms used in this application's embodiments:

[0041] SQL, or Structured Query Language, is a database query language used to perform a series of operations on relational database systems, including but not limited to insert, delete, modify, and query operations.

[0042] SQL injection attacks refer to attacks that trick the server into executing malicious SQL commands by inserting malicious SQL commands into web form submissions, or by entering domain names or query strings in page requests. The aim is to obtain information about the server or disrupt its normal operation.

[0043] Order By is a method in SQL for sorting query data.

[0044] ThreadLocal: Provided by the JDK package, ThreadLocal provides thread-local variables. Thread-local variables can only be accessed by the current thread and cannot be shared between threads. If a ThreadLocal variable is created, each thread accessing that ThreadLocal variable will have a copy of it. In actual multithreaded operations, the variable is operated on in its local memory, thus avoiding the thread safety issue of thread-local variables.

[0045] Reference Figure 1 , Figure 1 This is a flowchart illustrating the SQL generation method for preventing injection attacks provided in this application. The SQL generation method for preventing injection attacks provided in this application includes:

[0046] Step S10: Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions.

[0047] It should be noted that the mapping file in this embodiment is a mapper mapping file. Furthermore, in the unmodified original mapper mapping file, there is a sorting using the ${} value passing method. Therefore, before determining the target mapper mapping file, it is necessary to remove the sorting using the ${} value passing method in the original mapper mapping file, as shown in step a.

[0048] Further, in step a, the original mapping file is determined, and all sorting operations using a preset value passing method are deleted from the original mapping file using regular expressions to obtain the target mapping file.

[0049] Specifically, the SQL generation system determines the original mapper mapping file in the Mybatis framework used by the project, and deletes all sorted entries in the original mapper mapping file that use the ${} value passing method through regular expressions to obtain the target mapper mapping file. In this embodiment, the preset value passing method is the ${} value passing method.

[0050] This application embodiment uses regular expressions to remove the sorting of the ${} value passing method in the original mapper mapping file, thus avoiding SQL injection attacks that may be caused by the ${} value passing method.

[0051] It should be further noted that before executing any operations, the user needs to interact with the SQL generation system through its user interface. The SQL generation system determines the query conditions based on the user's interactions on the interface. Furthermore, the SQL generation system determines the inheriting parent class in the target mapper file based on the query conditions. In one embodiment, if the SQL generation system determines that all query conditions inherit from the `BaseQuery` class, then the inheriting parent class in the target mapper file is determined to be the `BaseQuery` class.

[0052] Furthermore, after determining the target mapper mapping file, it is necessary to convert some information in the target mapper mapping file into sorting parameters, as shown in step b.

[0053] Further, in step b, the original system sorting fields in the target mapping file are converted into sorting parameters using a preset sorting plugin.

[0054] In this embodiment, the preset sorting plugin is the preset Mybatis sorting plugin. Therefore, the SQL generation system converts the original system sorting field in the target mapper mapping file into sorting parameters through the preset Mybatis sorting plugin. The preset Mybatis sorting plugin is the Mybatis sorting plugin in the SQL generation system, and this embodiment does not specifically limit the specific type.

[0055] This application embodiment uses the Mybatis sorting plugin to avoid SQL injection attacks. The Mybatis sorting plugin can be flexibly added or removed.

[0056] Step S20: Override the preset query method in the inherited parent class, and convert all sorting associated with the preset query method in the target mapping file into the setSort sorting method of the preset sorting utility class.

[0057] Furthermore, in this embodiment, the parent class is `BaseQuery`, the preset query method is `setSortColumns`, and the preset sorting utility class is `OrderSortUtil`. The `OrderSortUtil` utility class provides `getSort` and `setSort` methods, which are used to pass sorting parameters to `ThreadLocal`. Specifically, the SQL generation system overrides the `setSortColumns` method (the preset query method) in the `BaseQuery` class (inherited from the parent class) to convert all sorting associated with the `setSortColumns` method in the project into the `setSort` method of the preset sorting utility class (`OrderSortUtil`). More specifically, the SQL generation system overrides the `setSortColumns` method in the `BaseQuery` class to convert all sorting associated with the `setSortColumns` method in the target mapper file into the `OrderSortUtil` utility class.

[0058] Step S30: Sort the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0059] Furthermore, the SQL generation system sorts the target mapper mapping file by combining the setSort sorting method with the thread-local variables provided by ThreadLocal, and generates the final SQL to prevent injection attacks, as shown in steps S301 to S302.

[0060] Further, steps S301 to S302 are described as follows:

[0061] Step S301: Pass the sorting parameter to the sort parameter through the setSort sorting method, and pass the sort parameter to the thread-local variable through the preset sorting utility class;

[0062] Step S302: Determine the currently executing SQL in the target mapping file through a preset sorting plugin, and concatenate the sort parameter in the thread local variable to the currently executing SQL to generate the final SQL to prevent injection attacks.

[0063] Specifically, the SQL generation system calls the setSort sorting method of the OrderSortUtil utility class, passing the sorting parameters to the sort parameter of the setSort sorting method.

[0064] Furthermore, the SQL generation system calls the OrderSortUtil utility class to pass the sort parameter to the thread-local variable provided by ThreadLocal. During query execution, it retrieves the sort parameter from the current thread-local variable and adds it to the SQL statement using a sorting plugin. Specifically: the SQL generation system uses a preset Mybatis sorting plugin to determine the currently executing SQL in the target mapper mapping file. After obtaining the currently executing SQL, it retrieves the sort parameter from the thread-local variable provided by ThreadLocal. Simultaneously, the SQL generation system concatenates the sort parameter from the thread-local variable with the currently executing SQL to assemble the final SQL statement, preventing injection attacks.

[0065] In subsequent sorting queries, this final SQL statement used to prevent injection attacks is employed. Furthermore, after the subsequent sorting queries are completed, the SQL generation system needs to remove the `sort` parameter from thread-local variables provided by `ThreadLocal` in certain statements of the final SQL statement used to prevent injection attacks, as shown in step c.

[0066] Further, in step c, the sort parameter in the thread-local variable is removed from the finally statement that ultimately prevents SQL injection attacks.

[0067] Specifically, the SQL generation system removes the sort parameter from the thread-local variable provided by ThreadLocal from the finally statement that ultimately prevents SQL injection attacks.

[0068] This application embodiment converts the original query method in the system into the setSort sorting method. Only the query method code is modified, and other code is not modified. It generates the final SQL that prevents injection attacks with only minor modifications to the original sorting code, realizes the original sorting function, and solves the SQL injection attack problem.

[0069] This embodiment provides a method for generating SQL to prevent injection attacks. In the process of generating the final SQL to prevent injection attacks, the original query method in the system is uniformly converted into the setSort sorting method by rewriting the inherited parent class of the query conditions. Only the query method code is modified, and other code is not modified. Therefore, the final SQL to prevent injection attacks is generated with only minor modifications to the original sorting code, realizing the original sorting function and solving the SQL injection attack problem.

[0070] It should be further noted that, in this embodiment of the application, configuration items can also be added to the project, that is, configuration items can be added to the mapper mapping file. When the mapper mapping file needs to use the methods described in steps S10 to S30 above, the SQL generation system needs to determine whether the configuration items in the mapper mapping file conform to preset configuration items. If it is determined that the configuration items in the mapper mapping file conform to the preset configuration items, the SQL generation system determines that the mapper mapping file can use the methods described in steps S10 to S30 above. If it is determined that the configuration items in the mapper mapping file do not conform to the preset configuration items, the SQL generation system determines that the mapper mapping file cannot use the methods described in steps S10 to S30 above.

[0071] Furthermore, the SQL generation apparatus for preventing injection attacks provided in this application will be described below. The SQL generation apparatus for preventing injection attacks can be referred to in correspondence with the SQL generation method for preventing injection attacks described above.

[0072] like Figure 2 As shown, Figure 2 This is a schematic diagram of the SQL generation device for preventing SQL injection attacks provided in this application. The SQL generation device for preventing SQL injection attacks includes:

[0073] The determination module 201 is used to determine the target mapping file and query conditions, and to determine the inherited parent class in the target mapping file according to the query conditions;

[0074] The rewrite conversion module 202 is used to rewrite the preset query method in the inherited parent class and convert all sorting associated with the preset query method in the target mapping file into the setSort sorting method of the preset sorting utility class.

[0075] The sorting generation module 203 is used to sort the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0076] Furthermore, the sorting generation module 203 is also used for:

[0077] The sorting parameter is passed to the sort parameter through the setSort sorting method, and the sort parameter is passed to a thread-local variable through the preset sorting utility class;

[0078] The current SQL being executed in the target mapping file is determined by a preset sorting plugin, and the sort parameter in the thread local variable is concatenated to the current SQL being executed to generate the final SQL that prevents injection attacks.

[0079] Furthermore, the SQL generation device for preventing injection attacks also includes a deletion module, used to: determine the original mapping file, and delete all sorting methods using a preset value passing method in the original mapping file using regular expressions to obtain the target mapping file.

[0080] Furthermore, the SQL generation device for preventing injection attacks also includes a conversion module, used to convert the original system sorting fields in the target mapping file into sorting parameters through a preset sorting plugin.

[0081] Furthermore, the deletion module is also used for:

[0082] Remove the sort parameter from the thread-local variable from the finally statement that ultimately prevents SQL injection attacks.

[0083] The specific embodiments of the SQL generation device for preventing injection attacks provided in this application are basically the same as the embodiments of the SQL generation method for preventing injection attacks described above, and will not be repeated here.

[0084] Figure 3 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 3 As shown, the electronic device may include: a processor 310, a communication interface 320, a memory 330, and a communication bus 340, wherein the processor 310, the communication interface 320, and the memory 330 communicate with each other via the communication bus 340. The processor 310 can call logical instructions in the memory 330 to execute a SQL generation method to prevent injection attacks, the method including:

[0085] Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions;

[0086] The preset query method in the inherited parent class is overridden, and all sorting associated with the preset query method in the target mapping file is converted into the setSort sorting method of the preset sorting utility class;

[0087] The target mapping file is sorted using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0088] Furthermore, the logical instructions in the aforementioned memory 330 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0089] On the other hand, this application also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions, and when the program instructions are executed by a computer, the computer is able to execute the SQL generation method for preventing injection attacks provided by the methods described above. This method includes:

[0090] Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions;

[0091] The preset query method in the inherited parent class is overridden, and all sorting associated with the preset query method in the target mapping file is converted into the setSort sorting method of the preset sorting utility class;

[0092] The target mapping file is sorted using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0093] Furthermore, this application also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform the aforementioned SQL generation methods for preventing injection attacks, the method comprising:

[0094] Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions;

[0095] The preset query method in the inherited parent class is overridden, and all sorting associated with the preset query method in the target mapping file is converted into the setSort sorting method of the preset sorting utility class;

[0096] The target mapping file is sorted using the setSort sorting method to generate the final SQL to prevent injection attacks.

[0097] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0098] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0099] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A method for generating SQL to prevent injection attacks, characterized in that, include: Determine the target mapping file and query conditions, and determine the inheriting parent class in the target mapping file based on the query conditions; The preset query method in the inherited parent class is overridden, and all sorting associated with the preset query method in the target mapping file is converted into the setSort sorting method of the preset sorting utility class; The target mapping file is sorted using the setSort sorting method to generate the final SQL to prevent injection attacks; The step of sorting the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks includes: The sorting parameter is passed to the sort parameter through the setSort sorting method, and the sort parameter is passed to a thread-local variable through the preset sorting utility class; The current SQL being executed in the target mapping file is determined by a preset sorting plugin, and the sort parameter in the thread local variable is concatenated to the current SQL being executed to generate the final SQL that prevents injection attacks.

2. The SQL generation method for preventing injection attacks according to claim 1, characterized in that, Before determining the target mapping file and query conditions, and before determining the inherited parent class in the target mapping file based on the query conditions, the method further includes: The original mapping file is determined, and all sorting operations using a preset value passing method in the original mapping file are deleted using regular expressions to obtain the target mapping file.

3. The SQL generation method for preventing injection attacks according to claim 1, characterized in that, After determining the target mapping file and query conditions, and determining the inherited parent class in the target mapping file based on the query conditions, the process further includes... The system's original sorting fields in the target mapping file are converted into sorting parameters using a preset sorting plugin.

4. The SQL generation method for preventing injection attacks according to claim 1, characterized in that, After sorting the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks, the process further includes: Remove the sort parameter from the thread-local variable from the finally statement that ultimately prevents SQL injection attacks.

5. A SQL generation device for preventing injection attacks, characterized in that... include: The determination module is used to determine the target mapping file and query conditions, and to determine the inherited parent class in the target mapping file based on the query conditions; The rewrite conversion module is used to rewrite the preset query method in the inherited parent class, and convert all sorting associated with the preset query method in the target mapping file into the setSort sorting method of the preset sorting utility class; The sorting generation module is used to sort the target mapping file using the setSort sorting method to generate the final SQL to prevent injection attacks; The sorting generation module is also used for: The sorting parameter is passed to the sort parameter through the setSort sorting method, and the sort parameter is passed to a thread-local variable through the preset sorting utility class; The current SQL being executed in the target mapping file is determined by a preset sorting plugin, and the sort parameter in the thread local variable is concatenated to the current SQL being executed to generate the final SQL that prevents injection attacks.

6. The SQL generation device for preventing injection attacks according to claim 5, characterized in that, The SQL generation device for preventing injection attacks also includes: The deletion module is used to determine the original mapping file and delete all sortings in the original mapping file that use a preset value passing method using regular expressions to obtain the target mapping file.

7. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the steps of the SQL generation method for preventing injection attacks as described in any one of claims 1-4.

8. A storage medium comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the SQL generation method for preventing injection attacks as described in any one of claims 1-4.