Mybatis3.4.6对#{}不再存在sql注入漏洞
@Select("<script>" +"SELECT * FROM GZ_USER " +
"where deleted = '0' and " +
"<if test='loginName != null' >"+
"user_name = #{loginName} " +
"</if>"+
"</script>")
User findByLoginName(@Param("loginName") String loginName);
测试:
结果:
老版本的myabtis对sql漏洞需要把#{}替换成${}, 新版本测试,发现不需要。记录下
页:
[1]
