原文链接:https://blog.csdn.net/pange1991/article/details/47810187
#{xxx},使用的是PreparedStatement,会有类型转换,所以比较安全;
${xxx},使用字符串拼接,可以SQL注入;
like查询不小心会有漏洞,正确写法如下:
Mysql:
[sql]
view plain
copy
- select * from t_user where name like concat('%', #{name}, '%')
Oracle:
[sql]
view plain
copy
- select * from t_user where name like '%' || #{name} || '%'
SQLServer:
[sql]
view plain
copy
- select * from t_user where name like '%' + #{name} + '%'