Database Data Masking Techniques: SQL, Java, and MyBatis-Mate Sensitive-Jackson Comparison

Introduction

Real‑world data breaches in e‑commerce and healthcare illustrate the critical need for data security, and database masking serves as an invisible shield that protects sensitive information without disrupting normal usage.

1. SQL Implementation: “Database Metamorphosis”

(a) Principle

SQL functions such as REPLACE, SUBSTRING and CONCAT can be combined to replace or hide parts of sensitive fields (e.g., names, addresses, ID numbers, phone numbers) while preserving the data’s business value.

(b) Practical Examples

Phone number masking

SELECT
    phone AS original_phone,
    CONCAT(SUBSTRING(phone, 1, 3), '****', SUBSTRING(phone, -4)) AS masked_phone
FROM users;

The SUBSTRING function extracts the first three and last four digits, and CONCAT joins them with asterisks to mask the middle portion.

ID card masking

SELECT
    id_card AS original_id_card,
    CONCAT(SUBSTRING(id_card, 1, 6), '******', SUBSTRING(id_card, -4)) AS masked_id_card
FROM users;

Here the first six and last four characters are kept, while the middle six are replaced with asterisks.

(c) Advantages and Limitations

Simple and direct operation for DBAs familiar with SQL.

Runs at the database layer, avoiding data‑transfer risks.

Seamless integration with MySQL, Oracle, SQL Server, etc.

Limitations include poor flexibility for complex rules, potential performance impact on large datasets, and difficulty managing uniform policies across many tables.

2. Java Implementation: Code‑Level Guardian

(a) Open‑source Tools

The sensitive-plus plugin provides annotations such as @SensitiveMobile and @SensitiveIdCard to mask common data types with configurable strategies.

(b) Custom Rules

Developers can write custom masking logic using Java string methods, reflection, and conditional statements to meet specific business requirements.

(c) Application Scenarios

Used in e‑commerce, finance, and healthcare systems to protect user privacy while allowing necessary data processing.

3. MyBatis‑Mate‑Sensitive‑Jackson: ORM Secret Weapon

(a) Plugin Overview

This MyBatis‑Plus extension offers nine built‑in masking rules and supports custom strategies via annotations.

(b) Usage Steps

Add Maven dependency

<dependency>
    <groupId>com.baomidou</groupId>
    <artifactId>mybatis-mate-sensitive-jackson</artifactId>
    <version>YOUR_VERSION</version>
</dependency>

Configure license information in application.yml and annotate entity fields with @FieldSensitive.

import lombok.Getter;
import lombok.Setter;
import mybatis.mate.annotation.FieldSensitive;
import mybatis.mate.strategy.SensitiveType;

@Getter
@Setter
public class User {
    private Long id;
    @FieldSensitive(SensitiveType.mobile)
    private String mobile;
    @FieldSensitive(SensitiveType.email)
    private String email;
}

(c) Advanced Usage

Custom strategies can be defined by implementing ISensitiveStrategy and registering with addStrategy.

import mybatis.mate.databind.ISensitiveStrategy;
import mybatis.mate.strategy.SensitiveStrategy;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SensitiveStrategyConfig {
    @Bean
    public ISensitiveStrategy sensitiveStrategy() {
        return new SensitiveStrategy()
            .addStrategy("customStrategy", t -> "******");
    }
}

Annotations can then reference the custom strategy.

@FieldSensitive("customStrategy")
private String customField;

4. Comparison of the Three Approaches

(a) Performance

SQL is fastest for simple, small‑scale masking but may strain the DB under heavy load; Java offloads work to the application layer and scales better with multithreading; the MyBatis plugin balances convenience with moderate overhead.

(b) Suitable Scenarios

SQL for high‑consistency, simple rules; Java for flexible, role‑based masking; MyBatis plugin for projects already using MyBatis‑Plus.

(c) Cost Considerations

SQL has low learning cost but limited flexibility; Java requires stronger programming skills; the plugin adds a dependency but reduces development effort when MyBatis‑Plus is in use.