select * from order where order_id = 123456;

       显然我们忘记了给123456加上单引号,但是这个查询是有效的,而且查到我们想要的数据。明明order_id是个varchar类型,应该使用order_id = '123456'这种方式明确指定为字符串类型,为什么使用123456这样的数字类型也是ok的呢?这就涉及到了Mysql隐式类型转换的问题,在MySQL中,当操作符与不同类型的操作数一起使用时,会发生类型转换以使操作数相互兼容。
       哦!原来这样也可以啊!还省去了写单引号的麻烦,不错不错!如果你平时偷懒在Navicat或者Mysql Console里面用这种方式写几个查询语句也就算了,一旦这样的方式进入到生产环境的代码里面,那你可给自己挖了个大坑哦!


       当然,我们对待知识的态度是要知其然,更要知其所以然。这种问题很容易了解清楚,Mysql参考手册翻出来查一查,立马搞定。以下内容摘自MySQL 5.7 Reference Manual:

The following rules describe how conversion occurs for comparison operations:

If one or both arguments are NULL, the result of the comparison is NULL, except for the NULL-safe <=> equality comparison operator. For NULL <=> NULL, the result is true. No conversion is needed.

If both arguments in a comparison operation are strings, they are compared as strings.

If both arguments are integers, they are compared as integers.

Hexadecimal values are treated as binary strings if not compared to a number.

If one of the arguments is a TIMESTAMP or DATETIME column and the other argument is a constant, the constant is converted to a timestamp before the comparison is performed. This is done to be more ODBC-friendly. This is not done for the arguments to IN(). To be safe, always use complete datetime, date, or time strings when doing comparisons. For example, to achieve best results when using BETWEEN with date or time values, use CAST() to explicitly convert the values to the desired data type.

A single-row subquery from a table or tables is not considered a constant. For example, if a subquery returns an integer to be compared to a DATETIME value, the comparison is done as two integers. The integer is not converted to a temporal value. To compare the operands as DATETIME values, use CAST() to explicitly convert the subquery value to DATETIME.

If one of the arguments is a decimal value, comparison depends on the other argument. The arguments are compared as decimal values if the other argument is a decimal or integer value, or as floating-point values if the other argument is a floating-point value.

In all other cases, the arguments are compared as floating-point (real) numbers.


For comparisons of a string column with a number, MySQL cannot use an index on the column to look up the value quickly. If str_col is an indexed string column, the index cannot be used when performing the lookup in the following statement:

SELECT * FROM tbl_name WHERE str_col=1;

The reason for this is that there are many different strings that may convert to the value 1, such as '1', ' 1', or '1a'.

       还是订单表order里面定义了一个varchar的字段,叫做order_id,并且order_id字段上创建索引idx_order_id,order 表里面大约有14万条数据。

select count(*) from order;



select * from order where order_id = '219052918283139700160';

0.037s elapsed


select * from order where order_id = 219052918283139700160;

0.345s elapsed


select * from order where order_id = '219052918283139700160';

id  select_type table   type    possible_keys   key key_len ref rows    Extra
1   SIMPLE  order   ref idx_order_id    idx_order_id    202 const   1   Using index condition


select * from order where order_id = 219052918283139700160;

id  select_type table   type    possible_keys   key key_len ref rows    Extra
1   SIMPLE  order   ALL idx_order_id                135860  Using where

       我去!完蛋了!type为All,全表扫描,灾难啊!再看看更详细的内容,使用Explain EXTENDED和SHOW WARNINGS。

select * from order where order_id = 219052918283139700160;

id  select_type table   type    possible_keys   key key_len ref rows    filtered    Extra
1   SIMPLE  order   ALL idx_order_id                135864  100.00  Using where

Level   Code    Message
Warning 1739    Cannot use ref access on index 'idx_order_id' due to type or collation conversion on field 'order_id'
Warning 1739    Cannot use range access on index 'idx_order_id' due to type or collation conversion on field 'order_id'
Note    1003    /* select#1 */ select `xx`.`order`.`id` AS `id`,`xx`.`order`.`is_delete` AS `is_delete`,`xx`.`order`.`create_time` AS `create_time`,`xx`.`order`.`update_time` AS `update_time`,`xx`.`order`.`order_id` AS `order_id`,`xx`.`order`.`req_param` AS `req_param`,`xx`.`order`.`source` AS `source` from `xx`.`order` where (`xx`.`order`.`order_id` = 219052918283139700160)



SELECT * FROM users WHERE username = '?' AND password = '?';

       如果password输入的是a' OR 1='1,那么username随便输入,这样就生成了下面的查询:

SELECT * FROM users WHERE username = 'xxx' AND password = 'a' OR 1='1';


SELECT * FROM users WHERE (username = 'xxx' AND password = 'a') OR 1='1';



mysql> select * from test;
| id | name  | password  |
|  1 | test1 | password1 |
|  2 | test2 | password2 |
|  3 | 12    | ddd       |
|  4 | 12a   | bbb       |
6 rows in set (0.00 sec)

mysql> select * from test where name = 12;
| id | name  | password |
|  3 | 12    | ddd      |
|  4 | 12a   | bbb      |
2 rows in set, 5 warnings (0.00 sec)

mysql> select * from test where name = '12';
| id | name | password |
|  3 | 12   | ddd      |
1 row in set (0.00 sec)



       实际上在我之前的一篇文章(参考文献3)中提到过隐式自动转换可能存在的问题,但没有展开讨论。再回想到上篇文章中提到的My batis的两种传参方式${}与#{},#{}这种方式能够很大程度的防止sql注入,而${}则无法防止sql注入。想当黑客,还是得了解很多技术细节的。


                                                                             2019年7月10日 星期三 于北京至唐山途中

