原 mybatis中的#和$的区别

版权声明：本文为博主原创文章，请尊重他人的劳动成果，转载请附上原文出处链接和本声明。
本文链接：https://www.91mszl.com/zhangwuji/article/details/1001

1. #将传入的数据都当成一个字符串，会对自动传入的数据加一个双引号。如：order by #user_id#，如果传入的值是111,那么解析成sql时的值为order by "111", 如果传入的值是id，则解析成的sql为order by "id".
　　
2. $将传入的数据直接显示生成在sql中。如：order by $user_id$，如果传入的值是111,那么解析成sql时的值为order by user_id, 如果传入的值是id，则解析成的sql为order by id.
　　
3. #方式能够很大程度防止sql注入。
　　
4.$方式无法防止Sql注入。

5.$方式一般用于传入数据库对象，例如传入表名.
　　
6.一般能用#的就别用$.


MyBatis排序时使用order by 动态参数时需要注意，用$而不是#



ISignContract signSV = new UnifiedSignContractSVImpl();
Map custMap = null;
try{
custMap = signSV.getCustInfo(account_type, account_code, upg_seq_cust);

bank_cust_name = MapUtil.getString(custMap, "custName", 0);
card_type = MapUtil.getString(custMap, "cardType", 0);
card_id = MapUtil.getString(custMap, "cardNo", 0);
region_id = MapUtil.getString(custMap, "regionId", 0);
county_id = MapUtil.getString(custMap, "countyId", 0);

inMap.put("BankCustName", bank_cust_name);
inMap.put("CardType", card_type);
inMap.put("CardId", card_id);
inMap.put(Constant.PublicInfo.REGION_ID, region_id);
inMap.put(Constant.PublicInfo.COUNTY_ID, county_id);
pubInfo.put(Constant.PublicInfo.REGION_ID, region_id);
pubInfo.put(Constant.PublicInfo.COUNTY_ID, county_id);

saveBusiLog(order_id, upg_seq_cust, Constant.BusiCode2Crm.QueryCustInfo, Constant.PlatForm.UPG.getCode(), Constant.PlatForm.CRM.getCode(), Constant.LogState.U,
account_type, account_code, agreement_type, agreement_id, bank_card_no, null, null);

//更新工单的地区、县市信息
changeOrder(order_id, null, null, null, null, inMap);

}catch(Exception e){
saveBusiLog(order_id, upg_seq_cust, Constant.BusiCode2Crm.QueryCustInfo, Constant.PlatForm.UPG.getCode(), Constant.PlatForm.CRM.getCode(), Constant.LogState.U,
account_type, account_code, agreement_type, agreement_id, bank_card_no, null, null);

finishPayOrder(order_id, Constant.RECSTATE.E, "向CRM查询客户信息失败", e.getMessage(), null, Constant.LogState.E, upg_seq_finish, null, e);

throw e;
}