Skip to content

Block Full Table Update and Delete Plugin

BlockAttackInnerInterceptor is a security plugin provided by the MyBatis-Plus framework, specifically designed to prevent malicious full-table update and delete operations. By intercepting update and delete statements, this plugin ensures these operations do not inadvertently affect entire database tables, thereby safeguarding data integrity and security.

Features

  • Prevents Full-Table Updates and Deletes: The plugin identifies and blocks update and delete statements that lack specified conditions, which could otherwise modify or delete all data in a table.
  • Enhances Data Security: By restricting full-table operations, it reduces the risk of data loss due to accidental or malicious actions.

Usage

  1. Inject the Plugin: In a Spring Boot configuration class, inject MybatisPlusInterceptor into the Spring container using the @Bean annotation, and add BlockAttackInnerInterceptor as an inner interceptor.
@Configuration
public class MybatisPlusConfig {
@Bean
public MybatisPlusInterceptor mybatisPlusInterceptor() {
MybatisPlusInterceptor interceptor = new MybatisPlusInterceptor();
interceptor.addInnerInterceptor(new BlockAttackInnerInterceptor());
return interceptor;
}
}
  1. Configure Interception Rules: By default, the plugin intercepts update and delete statements without specified conditions. For custom interception rules, refer to the MyBatis-Plus documentation.

Test Examples

Full-Table Update Test

The following test demonstrates how BlockAttackInnerInterceptor prevents full-table update operations.

@SpringBootTest
public class QueryWrapperTest {
@Autowired
private UserService userService;
/**
* SQL:UPDATE user SET name=?,email=?;
*/
@Test
public void testFullUpdate() {
User user = new User();
user.setId(999L);
user.setName("custom_name");
user.setEmail("xxx@mail.com");
// Since no update condition is specified, the plugin throws an exception
// com.baomidou.mybatisplus.core.exceptions.MybatisPlusException: Prohibition of table update operation
Assertions.assertThrows(MybatisPlusException.class, () -> {
userService.saveOrUpdate(user, null);
});
}
}

Partial Update Test

The following test demonstrates how to correctly perform partial updates, which the plugin will not intercept.

@SpringBootTest
public class QueryWrapperTest {
@Autowired
private UserService userService;
/**
* SQL:UPDATE user SET name=?, email=? WHERE id = ?;
*/
@Test
public void testPartialUpdate() {
LambdaUpdateWrapper<User> wrapper = new LambdaUpdateWrapper<>();
wrapper.eq(User::getId, 1);
User user = new User();
user.setId(10L);
user.setName("custom_name");
user.setEmail("xxx@mail.com");
// Since an update condition is specified, the plugin will not intercept this operation
userService.saveOrUpdate(user, wrapper);
}
}

The BlockAttackInnerInterceptor plugin is a critical security tool provided by MyBatis-Plus, effectively preventing full-table update and delete operations and protecting databases from accidental or malicious data corruption. Proper configuration and use of this plugin can significantly enhance an application’s data security.

Baomidou

© 2016-2025 Baomidou™. All Rights Reserved.

Power by Astro Starlight | Sponsored by JetBrains

渝ICP备2021000141号-1 | 渝公网安备50011302222097