1

I am working on a project where I will get a random SQL query that should just load into a webpage with the data. Fairly simple. I'm using MyBatis to do so. So the SQL query I load into my program, I want it to only accept Select statements. Basically, since I only want it to show data, I do not want the person that dynamically gives SQL queries, to be able to update, insert, delete, drop or create anything at all. Is there any way I can tell MyBatis not to accept this?

If I lack any form of information, don't hesitate to yell at me :)

Best regards

Mikkel

Mikkel Larsen
  • 876
  • 2
  • 14
  • 26
  • Usually, an app use only ONE user/passwd to access MySql. In order to forbid some user ( of app layer) to write database, the easiest way seem to be allow only "SELECT" method for this user on MyBatis layer. – Yin Nov 04 '15 at 11:46

1 Answers1

0

Why do you want MyBatis to handle this? You can restrict privileges in the database you are using. This link may help to restrict privileges in MySQL database.

How can I restrict a MySQL user to a particular tables

Community
  • 1
  • 1
Akhil
  • 479
  • 3
  • 13
  • Yeah i want MyBatis to handle this. I will be getting random Queries from different databases, so can't go to the single database and fix it. I need my program to not allow it. – Mikkel Larsen Sep 15 '14 at 06:48
  • I am afraid you may then have to handle it in your code itself. MyBatis just provide an interface between your application and DB. The only control you have is not writing any , , statement by yourself. Since that is also not in your control as the queries are dynamic, the only way left is to handle everything in your own code and not think about myBatis. :( – Akhil Sep 15 '14 at 09:02
  • restrict write access on app layer is a proper request. – Yin Nov 04 '15 at 10:51