Batis和MyBatis SQL映射文件编码规范.docxVIP

iBatis和MyBatis SQL映射文件编码规范XML注释注意事项使用!-- --注释，前后至少留出一个半角空格SQL XML映射文件中使用!-- --注释，其中注释内容不要紧挨着注释的起始标签和结束标签。注释内容距离起始标签和结束标签至少留出一个半角空格。!-- 获取学员信息 --selectid=getMemberInforesultClass=java.util.HashMapselect Uid, Memberid, FullName from Member with (nolock) where Memberid = #memberid:CHAR#/select避免注释出现在SQL语句中!-- 获取学员信息 --selectid=getMemberInforesultClass=java.util.HashMapselect Uid, Memberid, FullName!-- 这里不要出现注释 --from Member with (nolock) !-- 这里不要出现注释 --where Memberid = #memberid:CHAR# !-- 这里不要出现注释 --/select防止SQL注入变量引用的两种写法对于ibatis/MyBatis变量引用方式可以使用#和$两种写法，其中#写法会采用预编译方式，将转义交给了数据库，不会出现注入问题；如果采用$写法，则相当于拼接字符串，会出现注入问题。禁止使用 $ 写法，请使用 # 写法或者枚举形式代替。如下以iBatis为例说明$ 写法和 # 写法。$写法，存在SQL注入风险引起SQL注入问题的 $ 写法示例：!-- 0. SQL注入写法：存在安全隐患 --selectid=getByIdCwareresultClass=com.cdeledu.courseware.cwareList.domain.CwareSELECT cw.CwareID, cw.CwID, cw.CwareName, cw.InnerCwareIDFROM dbo.Cware AS cw WITH (NOLOCK)WHERE cw.CwareID = $cwareID$/select#写法，数据库预编译，防止SQL注入不会引起SQL注入问题的 # 写法示例：!-- 1. 预编译写法：防止SQL注入 --selectid=getByIdCwareresultClass=com.cdeledu.courseware.cwareList.domain.CwareSELECT cw.CwareID, cw.CwID, cw.CwareName, cw.InnerCwareIDFROM dbo.Cware AS cw WITH (NOLOCK)WHERE cw.CwareID = #cwareID#/selectLIKE 操作符$写法!-- 0. SQL注入写法：存在安全隐患 --selectid=like0resultClass=com.cdeledu.courseware.cwareList.domain.CwareparameterClass=java.util.MapSELECT cw.CwareID, cw.CwID, cw.CwareName, cw.InnerCwareIDFROM dbo.Cware AS cw WITH (NOLOCK)WHERE cw.CwareName like $cwareName$/select#写法!-- 1. 预编译写法：使用字符串连接符+号 --selectid=like1resultClass=com.cdeledu.courseware.cwareList.domain.CwareparameterClass=java.util.MapSELECT cw.CwareID, cw.CwID, cw.CwareName, cw.InnerCwareIDFROM dbo.Cware AS cw WITH (NOLOCK)WHERE cw.CwareName like % + #cwareName:VARCHAR# + %/select!-- 2. 预编译写法：在JAVA程序中预先拼接前后的%符号 --selectid=like2resultClass=com.cdeledu.courseware.cwareList.domain.CwareparameterClass=java.util.MapSELECT cw.CwareID, cw.CwID, cw.CwareName, cw.InnerCwareIDFROM dbo.Cware AS cw WITH (NOLOCK)WHERE cw.CwareName like #cwareName:VARC