首先来看一下错误的情况
将name的值设置成 yuan 使用两种方式分别进行模糊查询
select * from smbms_role where roleName like '%${name}%'
select * from smbms_role where roleName like '%#{name}%'
底层会将’%${name}%’ 解析成
select * from smbms_role where roleName like '%yuan%'
底层会将’%#{name}%’ 解析成
select * from smbms_role where roleName like '%?%'
但是 ‘%#{name}%’ 解析会发成运行错误
Error querying database.
Cause: org.apache.ibatis.type.TypeException:
Could not set parameters for mapping: ParameterMapping{property='name', mode=IN, javaType=class java.lang.Object, jdbcType=null, numericScale=null, resultMapId='null', jdbcTypeName='null', expression='null'}.
Cause: org.apache.ibatis.type.TypeException: Error setting non null for parameter #1 with JdbcType null .
Try setting a different JdbcType for this parameter or a different configuration property.
Cause: org.apache.ibatis.type.TypeException: Error setting non null for parameter #1 with JdbcType null .
Try setting a different JdbcType for this parameter or a different configuration property. Cause: java.sql.SQLException:
Parameter index out of range (1 > number of parameters, which is 0).
可以看出’%#{name}%’ 是无法正确运行
但是使用 ${} 无法防止sql注入
所以实际应用时使用 concat函数连接字符串
正确的使用方式如下:
select * from smbms_role where roleName like concat('%',#{name},'%')
本文转载自:https://blog.csdn.net/qq_34768753/article/details/82861994