比如:
select * from emp where title like '%$title$%'
能查出结果,但是你懂得,有sql injection。
换这种:
select * from emp where title like '%' || #title# || '%'
日志打印出来的SQL是:
select * from emp where title like '%' || ? || '%'
在线等。。。 '%' ,LZ你不能查询出结果吗?
sqlid的参数类型,一般都是Map,或者String
<select id="getAddressPoolConfigCount" resultClass="Integer"
parameterClass="Map">
select count(*) from TMS_ADDRESS_POOL_CONFIG tapc, SYS_CITY
sc,SYS_PROVINCE sp where tapc.PROVINCE_ID = sp.PROVINCE_ID and
tapc.CITY_ID = sc.CITY_ID
<isNotEmpty prepend="AND" property="provinceId">
tapc.PROVINCE_ID like '%' select * from emp where title like '%$title$%'
能查出结果,但是你懂得,有sql injection。
ibatis不会有SQL注入 楼主写的就是对的 就这么用没问题的我就是用的select * from emp where title like '%' #provinceId# '%'
</isNotEmpty>
<isNotEmpty prepend="AND" property="cityId">
tapc.CITY_ID like '%' '%'
</isNotEmpty>
<isNotEmpty prepend="AND" property="configFlag">
tapc.CONFIG_FLAG like '%' #cityId# #configFlag# #title# '%'
</isNotEmpty>
</select>