Mybatis学习笔记16 - bind标签
1、${}拼串进行模糊查询,不安全
示例代码:
接口定义: package com.mybatis.dao; import com.mybatis.bean.Employee; import java.util.List; public interface EmployeeMapper { public List<Employee> getEmpsTestInnerParameter(Employee employee); } mapper定义: <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.mybatis.dao.EmployeeMapper"> <select id="getEmpsTestInnerParameter" resultType="com.mybatis.bean.Employee"> <if test="_databaseId=='mysql'"> select * from tbl_employee <if test="_parameter!=null"> <!--模糊查询,${}可以进行拼串,但是这种方式不安全--> where last_name like '%${lastName}%' </if> </if> <if test="_databaseId=='oracle'"> select * from employees <if test="_parameter!=null"> where last_name = #{_parameter.lastName} </if> </if> </select> </mapper> 测试代码: package com.mybatis.demo; import com.mybatis.bean.Department; import com.mybatis.bean.Employee; import com.mybatis.dao.EmployeeMapper; import org.apache.ibatis.io.Resources; import org.apache.ibatis.session.SqlSession; import org.apache.ibatis.session.SqlSessionFactory; import org.apache.ibatis.session.SqlSessionFactoryBuilder; import org.junit.Test; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; public class MyTest { public SqlSessionFactory getSqlSessionFactory() throws IOException { String resource = "mybatis-config.xml"; InputStream inputStream = Resources.getResourceAsStream(resource); return new SqlSessionFactoryBuilder().build(inputStream); } @Test public void test() throws IOException { SqlSessionFactory sqlSessionFactory = getSqlSessionFactory(); SqlSession openSession = sqlSessionFactory.openSession(true); try { EmployeeMapper mapper = openSession.getMapper(EmployeeMapper.class); Employee employee = new Employee("e"); List<Employee> list = mapper.getEmpsTestInnerParameter(employee); for (Employee emp : list) { System.out.println(emp); } } finally { openSession.close(); } } }
2、使用bind标签进行模糊查询
示例代码一:
接口定义: package com.mybatis.dao; import com.mybatis.bean.Employee; import java.util.List; public interface EmployeeMapper { public List<Employee> getEmpsTestInnerParameter(Employee employee); } mapper定义: <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.mybatis.dao.EmployeeMapper"> <select id="getEmpsTestInnerParameter" resultType="com.mybatis.bean.Employee"> <!-- bind:可以将OGNL表达式的值绑定到一个变量中,方便后来引用这个变量的值 --> <bind name="_lastName" value="'%'+lastName+'%'"/> <if test="_databaseId=='mysql'"> select * from tbl_employee <if test="_parameter!=null"> where last_name like #{_lastName} </if> </if> <if test="_databaseId=='oracle'"> select * from employees <if test="_parameter!=null"> where last_name = #{_parameter.lastName} </if> </if> </select> </mapper> 测试代码: package com.mybatis.demo; import com.mybatis.bean.Department; import com.mybatis.bean.Employee; import com.mybatis.dao.EmployeeMapper; import org.apache.ibatis.io.Resources; import org.apache.ibatis.session.SqlSession; import org.apache.ibatis.session.SqlSessionFactory; import org.apache.ibatis.session.SqlSessionFactoryBuilder; import org.junit.Test; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; public class MyTest { public SqlSessionFactory getSqlSessionFactory() throws IOException { String resource = "mybatis-config.xml"; InputStream inputStream = Resources.getResourceAsStream(resource); return new SqlSessionFactoryBuilder().build(inputStream); } @Test public void test() throws IOException { SqlSessionFactory sqlSessionFactory = getSqlSessionFactory(); SqlSession openSession = sqlSessionFactory.openSession(true); try { EmployeeMapper mapper = openSession.getMapper(EmployeeMapper.class); Employee employee = new Employee("e"); List<Employee> list = mapper.getEmpsTestInnerParameter(employee); for (Employee emp : list) { System.out.println(emp); } } finally { openSession.close(); } } }
示例代码二:
接口定义: package com.mybatis.dao; import com.mybatis.bean.Employee; import java.util.List; public interface EmployeeMapper { public List<Employee> getEmpsTestInnerParameter(Employee employee); } mapper定义: <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.mybatis.dao.EmployeeMapper"> <select id="getEmpsTestInnerParameter" resultType="com.mybatis.bean.Employee"> <!-- bind:可以将OGNL表达式的值绑定到一个变量中,方便后来引用这个变量的值 --> <!--_代表任意一个字符--> <bind name="_lastName" value="'_'+lastName+'%'"/> <if test="_databaseId=='mysql'"> select * from tbl_employee <if test="_parameter!=null"> where last_name like #{_lastName} </if> </if> <if test="_databaseId=='oracle'"> select * from employees <if test="_parameter!=null"> where last_name = #{_parameter.lastName} </if> </if> </select> </mapper> 测试代码: package com.mybatis.demo; import com.mybatis.bean.Department; import com.mybatis.bean.Employee; import com.mybatis.dao.EmployeeMapper; import org.apache.ibatis.io.Resources; import org.apache.ibatis.session.SqlSession; import org.apache.ibatis.session.SqlSessionFactory; import org.apache.ibatis.session.SqlSessionFactoryBuilder; import org.junit.Test; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; public class MyTest { public SqlSessionFactory getSqlSessionFactory() throws IOException { String resource = "mybatis-config.xml"; InputStream inputStream = Resources.getResourceAsStream(resource); return new SqlSessionFactoryBuilder().build(inputStream); } @Test public void test() throws IOException { SqlSessionFactory sqlSessionFactory = getSqlSessionFactory(); SqlSession openSession = sqlSessionFactory.openSession(true); try { EmployeeMapper mapper = openSession.getMapper(EmployeeMapper.class); Employee employee = new Employee("i"); List<Employee> list = mapper.getEmpsTestInnerParameter(employee); for (Employee emp : list) { System.out.println(emp); } } finally { openSession.close(); } } }