mybatis3中mapper文件中 #{...} 和 ${...}有什么不同

企业开发 2018-05-09 17:15:39 阅读次数: 0

from :   http://blog.csdn.net/doctor_who2004/article/details/43027181

What is the difference between #{...} and ${...}?

mybatis3中mapper文件中 #{...} 和 ${...}有什么不同.

MyBatis interprets #{...} as a parameter marker in a JDBC prepared statement. MyBatis interprets ${...} as 

mybatis3对于#{...}是JDBC prepared statement参数的占位符标志,其值会有对应typehandler针对不同类型设值.

string substitution. It is important to know the difference because parameter markers cannot be used in certain places 

${...}在mybatis3中仅仅是字符串替换,这也是以前web编程sql注入发生的地发.

in SQL statements.
For example, you cannot use a parameter marker to specify a table name.
Given the following code:

 

[java]  view plain  copy
 
  1. Map<String, Object> parms = new HashMap<String, Object>();  
  2. parms.put("table""foo");  
  3. parms.put("criteria"37);  
  4. List<Object> rows = mapper.generalSelect(parms);  
  5. <select id="generalSelect" parameterType="map">  
  6.   select * from ${table} where col1 = #{criteria}  
  7. </select>  


MyBatis will generate the following prepared statement:

 

 

[java]  view plain  copy
 
  1. select * from foo where col1 = ?  


Important: note that use of ${...} (string substitution) presents a risk for SQL injection attacks. Also, string substitution can be problematical for complex types like dates. For these reasons, we recommend using the #{...} form whenever possible.

猜你喜欢

转载自angie.iteye.com/blog/2386719
今日推荐
周排行
成为C++高手之宏与枚举
在CAD二次开发中使用进度条
Js插件ECharts,HighCharts学习网址整理
Celery提交任务出错(on windows.)
cephfs内核客户端性能追踪
thinkphp中PHPExcel用法
EntityFramework动态组合多排序字段
汇编语言(八)实验9 根据材料编程
安装ubuntu后必须做的事情(对我而言)
JS函数式编程
每日归档
更多
2024-10-22(0)
2024-10-21(0)
2024-10-20(0)
2024-10-19(0)
2024-10-18(0)
2024-10-17(0)
2024-10-16(0)
2024-10-15(0)
2024-10-14(0)
2024-10-13(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022