Two methods of sql splicing for MyBatis fuzzy query

Method 1:

In the sql statement, use ${} instead of #{}.

#{} represents a placeholder, for example: #{id}--The id represents the parameter to be input, and the parameter name is the id. If the input parameter is a simple type, #{} The parameter name can be arbitrary, and can be value or other names;

${}: means splicing the sql string, and splicing the content of the received parameters into sql without any modification, for example: ${value}-- Receive the content of the input parameter. If the incoming type is a simple type, only value can be used in ${}.

Note: Using ${} to splice SQL strings has security risks and can easily cause SQL injection, so excessive use is not recommended.

Method 2:

Use the CONCAT method in the sql statement to splice the sql statement. For example: SELECT * FROM User WHERE name LIKE CONCAT('%', #{name}, '%').

The above is the detailed content of Two methods of sql splicing for MyBatis fuzzy query. For more information, please follow other related articles on the PHP Chinese website!