Shulou(Shulou.com)06/02 Report--

This article mainly introduces "what is the difference between # and $in Mybatis". In daily operation, I believe that many people have doubts about the difference between # and $in Mybatis. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "what is the difference between # and $in Mybatis"! Next, please follow the editor to study!

One: let's write a sql about "#" and see if we can inject it. SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name like # {userName} 1. Normal passing parameters DfwsSysUserAccount user = new DfwsSysUserAccount (); user.setUserName ("wanglingzhi"); List list = userAccountService.selectUser (user); if (listings invalid null & & list.size () > 0) {for (DfwsSysUserAccount u:list) {System.out.println ("user name:" + u.getUserName ());}} else {System.out.println ("No data yet");}

Sql printing:

Preparing: SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name =?

Parameters: wanglingzhi (String)

two。 Stitching and passing parameters DfwsSysUserAccount user = new DfwsSysUserAccount (); user.setUserName ("'wanglingzhi' or acc.user_name =' shuizhong'"); List list = userAccountService.selectUser (user); if (listings null & list.size () > 0) {for (DfwsSysUserAccount u:list) {System.out.println ("user name:" + u.getUserName ());}} else {System.out.println ("No data available");}

Sql printing:

Preparing: SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name =?

Parameters: wanglingzhi or acc.user_name = shuizhong (String)

Two: let's write a sql about "$" and see if we can inject it. SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name like ${userName} 1. Normal passing parameters DfwsSysUserAccount user = new DfwsSysUserAccount (); user.setUserName ("'wanglingzhi'"); List list = userAccountService.selectUser (user); if (listings invalid null & & list.size () > 0) {for (DfwsSysUserAccount u:list) {System.out.println ("user name:" + u.getUserName ());}} else {System.out.println ("No data yet");}

Print sql:

SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = 'wanglingzhi'

two。 Stitching and passing parameters DfwsSysUserAccount user = new DfwsSysUserAccount (); user.setUserName ("'wanglingzhi' or acc.user_name =' shuizhong'"); List list = userAccountService.selectUser (user); if (listings null & list.size () > 0) {for (DfwsSysUserAccount u:list) {System.out.println ("user name:" + u.getUserName ());}} else {System.out.println ("No data available");}

Print sql:

SELECT acc.user_name FROM dfws_sys_user_account AS acc WHERE acc.user_name = 'wanglingzhi' or acc.user_name =' shuizhong'

Obviously, sql has been injected here.

To sum up, generally speaking, the difference between the two can be summarized as follows:

(1) # treat all the incoming data as a string and put a double quotation mark on the automatically passed data. For example: order by # user_id#, if the value passed in is 111, then the value parsed to sql is order by "111". If the value passed in is id, the parsed sql is order by" id ".

(2) $will directly display the incoming data and generate it in sql. For example: order by $user_id$, if the value passed in is 111, then the value parsed to sql is order by user_id, and if the value passed in is id, the parsed sql is order by id.

(3) the # mode can prevent sql injection to a large extent.

(4) the $mode can not prevent sql injection.

(5) the $method is generally used to pass in database objects, such as table names.

(6) if you can use #, don't use $.

Ps: also encountered in the use of mybatis, statements within this symbol will not be treated as strings, but directly as sql statements, such as to execute a stored procedure.

At this point, the study on "what's the difference between # and $in Mybatis" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.