mybatis基础（2）

配置式使用mybatis，可以三步走：

• 读取配置文件，即mybatis-config.xml
• 通过配置文件来创建SqlSessionFactory
• 新建SqlSession来执行sql

mybatis 提供了注解和XML两种方式来连接接口方法和sql语句

如果单独使用mybatis ，那么mapper接口必须和.xml配置文件在同一个包中，但是如果使用spring等工具可以不必接收此限制

参数符号

若以#{}作为参数符号，MyBatis则会创建一个预处理语句（PreparedStatement）,它会被处理成 ？。如果你不希望使用预处理，那么可以使用${}参数符号，MyBatis 会以字符串的形式进行拼接

In MyBatis, #{} and ${} are two different syntaxes used in SQL statements, and they serve different purposes:

1. #{} (Parameter Substitution):

   • #{} is used for parameter substitution in prepared statements. It helps prevent SQL injection by automatically handling escaping and quoting of parameters.

   • MyBatis treats values placed inside #{} as bind parameters and automatically applies proper escaping and formatting based on the parameter type.

   • Example:

     xmlCopy code

     <!-- Using #{parameter} for parameter substitution --> SELECT * FROM users WHERE id = #{userId}

   • In Java code, you would then provide the actual value for userId when executing the SQL statement.

2. ${} (String Substitution):

   • ${} is used for string substitution in SQL statements. It directly replaces the variable or expression with its string representation.

   • Unlike #{}, ${} does not provide protection against SQL injection because it directly inserts the value into the SQL string without any formatting.

   • Example:

     xmlCopy code

     <!-- Using ${parameter} for string substitution --> SELECT * FROM users WHERE id = ${userId}

   • In this case, the value of userId will be directly inserted into the SQL string as a string.

Key Differences:

• Security:

  • #{} is more secure against SQL injection because it handles parameter formatting.
  • ${} is less secure since it directly inserts the string representation of the variable.

• Prepared Statements:

  • #{} is typically used in prepared statements, where MyBatis handles parameter formatting.
  • ${} is used for string interpolation and is suitable when you want to directly insert a string representation.

• Data Types:

  • #{} is aware of the data type of the parameter and applies appropriate formatting.
  • ${} does not consider the data type and directly inserts the string representation.

• Quoting and Escaping:

  • #{} automatically quotes and escapes values, making it suitable for most scenarios.
  • ${} does not quote or escape values, so it's important to ensure that values are properly formatted before using ${} to prevent SQL errors.

In general, it's recommended to use #{} for most cases, especially when dealing with user input or dynamic values, to prevent SQL injection. Use ${} when you need to directly substitute a string and are certain about the safety of the value being inserted.