原 mybatis中的#和$的区别
版权声明:本文为博主原创文章,请尊重他人的劳动成果,转载请附上原文出处链接和本声明。
本文链接:https://www.91mszl.com/zhangwuji/article/details/1001
1. #将传入的数据都当成一个字符串,会对自动传入的数据加一个双引号。如:order by #user_id#,如果传入的值是111,那么解析成sql时的值为order by "111", 如果传入的值是id,则解析成的sql为order by "id".
2. $将传入的数据直接显示生成在sql中。如:order by $user_id$,如果传入的值是111,那么解析成sql时的值为order by user_id, 如果传入的值是id,则解析成的sql为order by id.
3. #方式能够很大程度防止sql注入。
4.$方式无法防止Sql注入。
5.$方式一般用于传入数据库对象,例如传入表名.
6.一般能用#的就别用$.
MyBatis排序时使用order by 动态参数时需要注意,用$而不是#
ISignContract signSV = new UnifiedSignContractSVImpl();
Map custMap = null;
try{
custMap = signSV.getCustInfo(account_type, account_code, upg_seq_cust);
bank_cust_name = MapUtil.getString(custMap, "custName", 0);
card_type = MapUtil.getString(custMap, "cardType", 0);
card_id = MapUtil.getString(custMap, "cardNo", 0);
region_id = MapUtil.getString(custMap, "regionId", 0);
county_id = MapUtil.getString(custMap, "countyId", 0);
inMap.put("BankCustName", bank_cust_name);
inMap.put("CardType", card_type);
inMap.put("CardId", card_id);
inMap.put(Constant.PublicInfo.REGION_ID, region_id);
inMap.put(Constant.PublicInfo.COUNTY_ID, county_id);
pubInfo.put(Constant.PublicInfo.REGION_ID, region_id);
pubInfo.put(Constant.PublicInfo.COUNTY_ID, county_id);
saveBusiLog(order_id, upg_seq_cust, Constant.BusiCode2Crm.QueryCustInfo, Constant.PlatForm.UPG.getCode(), Constant.PlatForm.CRM.getCode(), Constant.LogState.U,
account_type, account_code, agreement_type, agreement_id, bank_card_no, null, null);
//更新工单的地区、县市信息
changeOrder(order_id, null, null, null, null, inMap);
}catch(Exception e){
saveBusiLog(order_id, upg_seq_cust, Constant.BusiCode2Crm.QueryCustInfo, Constant.PlatForm.UPG.getCode(), Constant.PlatForm.CRM.getCode(), Constant.LogState.U,
account_type, account_code, agreement_type, agreement_id, bank_card_no, null, null);
finishPayOrder(order_id, Constant.RECSTATE.E, "向CRM查询客户信息失败", e.getMessage(), null, Constant.LogState.E, upg_seq_finish, null, e);
throw e;
}
2019-06-01 13:25:55 阅读(946)
名师出品,必属精品 https://www.91mszl.com
博主信息