Because iBATIS uses PreparedStatement for mapped statements, you have to use the $value$ syntax, or make your parameter contain your % or _ characters. For example, let's say you want your database will end up with is this:
因?yàn)閕Batis用PreparedStatement來映射statement,你必須用$value$語法���,或者確保你的參數(shù)包含你的% 或_字符���。例如���,假設(shè)你項(xiàng)執(zhí)行下面的語句:
select * from foo where value like 'x%'
You can do this:
你可以這么寫sqlmap語句:
select * from foo where value like #parm#
But if you do, it becomes this:
但是如果你這么做���,他將按照下面語句執(zhí)行
select * from foo where value like ?
To make that do what you want, you need to make the parameter "x%" by setting parm to "x%".
為了保證你的目標(biāo)���,你需要把"x%"作為參數(shù)值���。
If you do not like that approach, you can do this instead:
如果你不想這么做���,你可以用下面的取代:
select * from foo where value like '$parm$%'
That still uses a PreparedStatement, but the $parm$ gets inserted as a literal instead of a parameter. So, to get the same results as before, you would set parm to "x". Note that this can be vulnerable to SQL injection attacks, so make sure that all single quotes are escaped in parm.
這仍然用PreparedStatement���,但是$parm$用parameter作為占位符���,所以,為了得到結(jié)果���,你應(yīng)該設(shè)置參數(shù)為x���。
注意這可能引起SQL注入攻擊���,所以確保所有參數(shù)里的單引號被過濾到