符号"/>
mybatis中条件查询的预编译符号
在mybatis中#{}代表预编译,可以防止sql注入,而${}相反
@Select("select * from emp where name like '%#{name}%' and gender =#{gender} and " +"entrydate between #{begin} and #{end} order by update_time desc ")public List<Emp> list (String name, Short gender, LocalDate begin,LocalDate end);
%#{name}%预编译会导致sql编译出错需要换成%${name}%,而%${name}%性能低,不安全,存在sql注入问题,此时可以使用mysql的concat()指令替换.
concat('%',#{name},'%')
// 条件查询@Select("select * from emp where name like '%${name}%' and gender =#{gender} and " +"entrydate between #{begin} and #{end} order by update_time desc ")public List<Emp> list (String name, Short gender, LocalDate begin,LocalDate end);
@Select("select * from emp where name like concat('%',#{name},'%') and gender =#{gender} and " +"entrydate between #{begin} and #{end} order by update_time desc ")public List<Emp> list (String name, Short gender, LocalDate begin,LocalDate end);
更多推荐
mybatis中条件查询的预编译符号
发布评论