Ibatis.net use Summary (a)--IBatis Solve SQL injection (#与 $ difference)

Ibatis Resolving SQL Injection (#与 $ difference)

In Ibatis, when we use SQLMAP for SQL queries, we need to reference parameters, and we can use two placeholders # and $ in parameter references. What is the difference between these two placeholders?

(1): #***#, pre-compiled, using parameterized command mode for processing, effectively prevent SQL injection, can be type matching. In the fuzzy query, use # #

　　
(2): $***$, does not perform data type matching, it is just a simple character stitching. General use for non-variable parameters, example: SELECT * FROM $tableName $ perform a unified query for different tables

1, 2 * * * Represents a property value, a key in map or a property in a model object

For example:

The first scenario:

A:select * from Student where sName like '% ' + $Name $+ '% '

B:select * from Student where sName like '% ' + #Name #+ '% '

In both A and B SQL statements, name is the user's incoming data, and if the user enters "Wei", the

After compiling, execute the SQL statement:

A:select * from Student where sName like '% ' Wei '% '--no query we want results

B:select * from Student where sName like '%wei% '--performs normally and returns the correct value.

The second scenario:

C:select Top $limit $ * from Student

D:select Top #limit # * from Student

C, D Two statements if you need to query the first 10 records, the execution statement is:

C:select Top * from Student--because the $$ is just a simple stitching, so normal execution, return the correct result

D:select Top ' * FROM Student---This implementation obviously does not pass.

Ibatis.net use Summary (a)--IBatis Solve SQL injection (#与 $ difference)