Shulou(Shulou.com)06/02 Report--

This article will explain in detail what the string replacement method in the MyBatis Xml mapping file is, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

MyBatis Xml mapping file string replacement string replacement

By default, using the syntax of the # {} format causes MyBatis to create PreparedStatement parameter placeholders and set parameters safely (like using? Same). This is safer, faster, and usually preferred, but sometimes you just want to insert an unescaped string directly into the SQL statement.

For example, like ORDER BY, you can use it like this:

ORDER BY ${columnName}

Here MyBatis does not modify or escape strings.

String substitution is useful when metadata in SQL statements, such as table or column names, is generated dynamically.

For instance

If you want to select data from a table through any column, you don't need to write something like this:

@ Select ("select * from user where id = # {id}") User findById (@ Param ("id") long id); @ Select ("select * from user where name = # {name}") User findByName (@ Param ("name") String name); @ Select ("select * from user where email = # {email}") User findByEmail (@ Param ("email") String email); / / and more "findByXxx" method

You can write only one method:

@ Select ("select * from user where ${column} = # {value}") User findByColumn (@ Param ("column") String column, @ Param ("value") String value)

Where ${column} will be replaced directly, and # {value} will be used? Pretreatment. So you can achieve the above functions as follows:

User userOfId1 = userMapper.findByColumn ("id", 1L); User userOfNameKid = userMapper.findByColumn ("name", "kid"); User userOfEmail = userMapper.findByColumn ("email", noone@nowhere.com)

The same idea applies to situations where table names are replaced.

Tip: it is not safe to accept user input in this way and use it for parameters in the statement, which can lead to potential SQL injection attacks, so users are either not allowed to enter these fields or escape and verify themselves.

String replacement in Mybatis

By default, using syntax in the format # {} causes MyBatis to create a preprocessing statement property and set a safe value (such as?) against it. This is safe, quick and the first choice!

Sometimes you just want to insert an unaltered string directly into the SQL statement. For example, like ORDER BY, you can use it like this: ORDER BY ${column}

Here MyBatis does not modify or escape strings.

Important: it is not safe to accept the output from the user and provide it to an immutable string in the statement. This can lead to potential SQL injection attacks, so you should not allow users to enter these fields, or usually escape and check them themselves!

Wrong way:

ORDER BY fupdated ${sort, jdbcType=VARCHAR}, fcreated ${sort, jdbcType=VARCHAR}

The correct way:

ORDER BY fupdated ${sort}, fcreated ${sort}

Prerequisites: please verify sort to prevent sql attacks!

On the MyBatis Xml mapping file string replacement is what is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.