在Ibatis中我们使用SqlMap进行Sql查询时需要引用参数,在参数引用中遇到的符号#和$之间的区别,#可以进行预编译,进行类型匹配,而$不进行数据类型匹配。 summarized as follows :
1. # is the incoming data as a string, such as # user_id_list # incoming 1,2,3 , then generate the sql statement is the case, in ('1, 2,3 '), of course not
2. $ incoming data generated directly in the sql , as seen # user_id_list # incoming 1,2,3 , then the sql statement generation is so , in (1,2,3) that's right .
3. # method can greatly prevent sql injection .
4. $ sql injection method can not way .
5. $ method is generally used for incoming database objects. For example, an incoming table name .
6. General can # do not use the $.
intuitive to say
# str # out effect is 'str'
$ str $ out effect is str
Another # # can only be used in several places in a specific $ $ can be used in any place such order by $ str $
you can even write $ str $ the order by the string passed in on the str li
# str # out effect is 'str'
$ str $ out effect is str
Another # # can only be used in several places in a specific $ $ can be used in any place such order by $ str $
you can even write $ str $ the order by the string passed in on the str li
没有评论:
发表评论