SSM框架的sql中參數註入(#和$的區別)
阿新 • • 發佈:2018-03-11
沒有 result ddr 其他 防止 date_time ${} ext post
1 <select id="findUsersByUserName2" resultType="java.util.Map" parameterType="Params"> 2 SELECT 3 id as uid, 4 username as uname, 5 password as pwd, 6 account as act, 7 telephone, 8 idcard, 9 create_time as createTime,10 is_delete as isDelete, 11 male, 12 birthday, 13 email, 14 address, 15 update_time as updateTime, 16 teacher_id as teacherId, 17 subject_id as subjectId, 18 age, 19 status, 20 type21 FROM 22 tz_user 23 WHERE 24 username LIKE ‘%${username}%‘ 25 AND `password` = #{password} 26 ORDER BY ${order} 27 </select>
ORDER BY ${order} 和模糊查詢 username LIKE ‘%${username}%‘ 是用$符號,其他的大多是用 #{} 來獲取傳遞的參數。
ORDER BY 還可以用#{}符號傳遞參數。
#{} 將傳入的數據都當成一個字符串,會對自動傳入的數據加一個雙引號。如:order by #{userId},如果傳入的值是111, 那麽解析成sql時的值為order by "111", 如果傳入的值是id,則解析成的sql為order by "id".
${} 將傳入的數據直接顯示生成在sql中,是什麽就是什麽,沒有加雙引號:select * from table1 where id=${id} 若 id = 4,則就是:select * from table1 where id = 4;
最好是能用 #{} 就用它,因為它可以防止sql註入,且是預編譯的,在需要原樣輸出時才使用 ${}
記住一點:單引號裏面的用 ${} 符號,ORDER BY 可以用${}或者#{}符號,用 #{} 的不能加單引號,因為默認加了引號
SSM框架的sql中參數註入(#和$的區別)