Data Security Protection
MyBatis-Plus provides data security protection features designed to prevent sensitive information leaks caused by developer turnover. Starting from version 3.3.2, MyBatis-Plus supports enhanced database security through encrypted configurations and data security measures.
Configuration Security
YML Configuration Encryption
MyBatis-Plus allows you to use encrypted strings for configuring database connection information. In YML configuration files, items prefixed with mpw:
are treated as encrypted content.
spring: datasource: url: mpw:qRhvCwF4GOqjessEB3G+a5okP+uXXr96wcucn2Pev6Bf1oEMZ1gVpPPhdDmjQqoM password: mpw:Hzy5iliJbwDHhjLs1L0j6w== username: mpw:Xb+EgsyuYRXw7U7sBJjBpA==
Key Encryption
Use the AES algorithm to generate a random key and encrypt sensitive data.
// Generate a 16-bit random AES keyString randomKey = AES.generateRandomKey();
// Encrypt data using the random keyString encryptedData = AES.encrypt(data, randomKey);
How to Use
Pass the key via command-line arguments when starting the application.
Starting from version 3.5.10, system properties and environment variables are supported for passing the key.
// Example of Jar startup arguments (set as Program arguments in IDEA or as startup environment variables on the server)--mpw.key=d1104d7c3b616f0b
Data Security
MyBatis-Plus provides field encryption/decryption and field desensitization features to protect sensitive data stored in databases.
- Field Encryption/Decryption: Encrypts specific fields in the database for storage and decrypts them when needed.
- Field Desensitization: Processes sensitive fields to hide or obscure sensitive information.
SQL Injection Protection
MyBatis-Plus offers both automatic and manual methods to check for SQL injection risks.
Automatic Check
When using the Wrappers.query()
method, automatic SQL injection checking can be enabled via .checkSqlInjection()
.
Wrappers.query()// Enable automatic SQL injection check.checkSqlInjection().orderByDesc("Any field passed from the frontend. We recommend whitelist processing as the best practice, as there may be cases where checks are not fully comprehensive.")
Manual Validation
Use the SqlInjectionUtils.check()
method for manual validation.
// Manually validate whether fields passed from the frontend pose SQL injection risksSqlInjectionUtils.check("Any field passed from the frontend. We recommend whitelist processing as the best practice, as there may be cases where checks are not fully comprehensive.")
Through these measures, MyBatis-Plus helps you build a more secure database environment, protecting sensitive data from leaks.