mybatis学习$与#号取值区别

1,多个参数传递用map或实体封装后再传给myBatis,

 

 

mybatis学习$与#号取值区别

#{} 1.加了单引号,  2.#号写是可以防止sql注入,比较安全

select * from user where username=#{username} and password=#{password}  变成 ...where username=‘张三’ and password=‘123’

${}  2.没有加单引号  2.${}写法无法防止sql注入(模湖查询时用‘%${username}%’) 或用cancat ('%',${username},'%')

select * from user where username=${username} and password=${password}  变成 ...where username=张三 and password=123

 

posted @ 2018-08-18 23:01  A汉克先生  阅读(671)  评论(0编辑  收藏  举报