MyBatis ${}和#{}的区别

#{}

简单来说#{}解析出的SQL语句是占位符,可以防止SQL注入,比如打印出来的语句

select * from table where id = ?

${}

而${}则是不能防止SQL注入打印出来的语句

select * from table where id = 2 实实在在的参数

sql注入

如sql为

    <select id="listUser001" resultType="SysUser">
        select * from sys_user where id = ${id}
    </select>

如果传递的参数为1 or 1=1则生成的sql为

select * from sys_user where id = 1 or 1 = 1

此时发生了sql注入

results matching ""

    No results matching ""