---------------------------------------------
在SQL MAP中以如下方式包装参数:
SELECT
PER_ID as id,
PER_FIRST_NAME as firstName,
PER_LAST_NAME as lastName,
PER_BIRTH_DATE as birthDate,
PER_WEIGHT_KG as weightlnKilograms,
PER_HEIGHT_M as heightlnMeters
FROM
PERSON
WHERE
PER_FIRST_NAME LIKE '%$value$%'
---------------------------------------------
如果在以上代码中不加入%通配符,那么在Java代码中加入也是一样的,即:
SELECT
PER_ID as id,
PER_FIRST_NAME as firstName,
PER_LAST_NAME as lastName,
PER_BIRTH_DATE as birthDate,
PER_WEIGHT_KG as weightlnKilograms,
PER_HEIGHT_M as heightlnMeters
FROM
PERSON
WHERE
PER_FIRST_NAME LIKE '$value$'
此时,在Java代码中传递的参数形式如下:
dao.findPersonByPartyName("%o%")
---------------------------------------------
注意:个人认为以"#"号表示的参数,相当于JDBC中的占位符形式,而"$"有点像将参数与通配符直接合并一起生成SQL,待验证此种以$方式是否可能不在SQL注入问题??