1、编写sql语句时,能使用#{},绝不使用¥{}
因为#{}会将传入参数默认添加"",例如:select * from user where name= #{name} and pwd=#{pwd},转化为sql语句,select * from user where name="name" and pwd ="pwd";而${}传入参数时直接替换,例如:select * from user where name= #{name} and pwd=#{pwd},,转化为sql语句,select * from user where name=name and pwd = pwd。当pwd传入‘' or 1=1’时,#{}会将pwd转化为:select * from user where name="name" and pwd ="' or 1=1",而${}会将pwd替换为:select * from user where name="name" and pwd =' or 1=1,“pwd =' or 1=1”恒为真。
2、前端数据校验以及controller数据校验
前端对参数进行类型校验,或者正则表达式校验传递到后台的数据。
controller层对传入的参数进行数据校验。