#{}
占位符,进行sql预编译,会自动加上’ ’ ,因此可以防止sql注入
${}
拼接符,进行字符串拼接,不会自动加上’ ',因此会参数sql注入
实例
1.使用${}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.g.dao.UserMapper">
...
<select id="getUserLikeName" resultType="User">
select * from mybatis.user where name like "%"${name}"%"
</select>
</mapper>
测试
public class UserMapperTest {
...
@Test
public void getUserLikeNameTest() {
SqlSession sqlSession = MybatisUtils.getSqlSessionFactory();
try {
UserMapper mapper = sqlSession.getMapper(UserMapper.class);
List<User> users = mapper.getUserLikeName("1 or 1=1");
for (User u : users) {
System.out.println(u);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
sqlSession.close();
}
}
}
输出结果
User{id=1, name=‘张三’, pwd=‘123456’}
User{id=2, name=‘李四’, pwd=‘123456’}
User{id=3, name=‘王五’, pwd=‘123456’}
User{id=4, name=‘赵六’, pwd=‘111111’}进程完成,退出码 0
1.使用#{}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.g.dao.UserMapper">
...
<select id="getUserLikeName" resultType="User">
select * from mybatis.user where name like "%"#{name}"%"
</select>
</mapper>
测试结果
进程完成,退出码 0
结论
- ${}无法防止Sql注入。
- #{}很大程度防止sql注入。
- 能用#{}尽量用。