一、单个参数:
public List<XXBean> findXXBeanList(String xxCode);
<select id="findXXXBeanList" parameterType="java.lang.String" resultType="XXBean">
select t.* from tableName t where t.id= #{id}
</select>
其中方法名和ID一致,#{}中的参数名与方法中的参数名一直, 我这里采用的是XXXBean是采用的短名字,
select 后的字段列表要和bean中的属性名一致, 如果不一致的可以用 as 来补充。
二、多参数:
public List<XXXBean> getXXXBeanList(String xxId, String xxCode); <select id="getXXXBeanList" resultType="XXBean">
select t.* from tableName where id = #{0} and name = #{1}
</select> 由于是多参数那么就不能使用parameterType, 改用#{index}是第几个就用第几个的索引,索引从0开始
三、Map封装多参数:
public List<XXXBean> getXXXBeanList(HashMap map); <select id="getXXXBeanList" parameterType="hashmap" resultType="XXBean">
select 字段... from XXX where id=#{xxId} code = #{xxCode}
</select> 其中hashmap是mybatis自己配置好的直接使用就行。map中key的名字是那个就在#{}使用那个,map如何封装就不用了我说了吧。 四、List封装in:
public List<XXXBean> getXXXBeanList(List<String> list); <select id="getXXXBeanList" resultType="XXBean">
select 字段... from XXX where id in
<foreach item="item" index="index" collection="list" open="(" separator="," close=")">
#{item}
</foreach>
</select>foreach 最后的效果是select 字段... from XXX where id in ('1','2','3','4') 五、多参数传递之注解方式示:
public AddrInfo getAddrInfo(@Param("corpId")int corpId, @Param("addrId")int addrId);<select id="getAddrInfo" resultMap="com.xxx.xxx.AddrInfo">
SELECT * FROM addr__info
where addr_id=#{addrId} and corp_id=#{corpId}
</select>以前在<select>语句中要带parameterType的,现在可以不要这样写。六、selectList()只能传递一个参数,但实际所需参数既要包含String类型,又要包含List类型时的处理方法:
List<String> list = new ArrayList<String>();
list.add("1");
list.add("2");
Map<String, Object> map = new HashMap<String, Object>();
map.put("list", list); //网址id
map.put("siteTag", "0");//网址类型public List<SysWeb> getSysInfo(Map<String, Object> map) {
return getSqlSession().selectList("sysweb.getSysInfo", map);
}<select id="getSysInfo" parameterType="java.util.Map" resultType="SysWeb">
select t.sysSiteId, t.siteName, t1.mzNum as siteTagNum, t1.mzName as siteTag, t.url, t.iconPath
from TD_WEB_SYSSITE t
left join TD_MZ_MZDY t1 on t1.mzNum = t.siteTag and t1.mzType = 10
WHERE t.siteTag = #{siteTag }
and t.sysSiteId not in
<foreach collection="list" item="item" index="index" open="(" close=")" separator=",">
#{item}
</foreach>
</select>知识点 - #{} 和 ${} 的区别:
1、#{}能防止sql注入,${}不能防止sql注入;
2、${}一般用来传入数据库对象,如:数据表名;
3、在使用order by 时使用${},因为传入参数为动态参数。
4、#{}表示一个占位符号,#{}接收输入参数,类型可以是简单类型,pojo、hashmap。 如果接收简单类型,#{}中可以写成value或其它名称。 #{}接收pojo对象值,通过OGNL读取对象中的属性值,通过属性.属性.属性...的方式获取对象属性值。
5、${}表示一个拼接符号,会引用sql注入,所以不建议使用${}。 ${}接收输入参数,类型可以是简单类型,pojo、hashmap。如果接收简单类型,${}中只能写成value。${}接收pojo对象值,通过OGNL读取对象中的属性值,通过属性.属性.属性...的方式获取对象属性值。
Mybatis官方说明:
String Substitution
By default, using the #{} syntax will cause MyBatis to generate PreparedStatement properties and set the values safely against the PreparedStatement parameters (e.g. ?). While this is safer, faster and almost always preferred, sometimes you just want to directly inject a string unmodified into the SQL Statement. For example, for ORDER BY, you might use something like this:
ORDER BY ${columnName}
Here MyBatis won't modify or escape the string.
NOTE It's not safe to accept input from a user and supply it to a statement unmodified in this way. This leads to potential SQL Injection attacks and therefore you should either disallow user input in these fields, or always perform your own escapes and checks.