防止sql注入相关的一些过程:1、mybatis解析sql文件中的#-->2、预编译jdbc时与数据库交互-->3、jdbc设置值为1时与数据库交互,mybatis解析#考虑符号位符号'?'先看$符号:publicStringhandleToken(Stringcontent){Objectparameter=context.getBindings().get("_parameter");if(parameter==null){context.getBindings().put("value",null);}elseif(SimpleTypeRegistry.isSimpleType(parameter.getClass())){context.getBindings().put("value",parameter);}对象值=OgnlCache.getValue(content,context.getBindings());返回(值==null?“”:String.valueOf(值));//issue#274return""而不是"null"}再看看#符号:publicStringhandleToken(Stringcontent){parameterMappings.add(buildParameterMapping(content));return"?";//#符号会返回一个占位符?二、PreparedStatement在设置参数时的处理还是依赖mybatis底层的jdbc,我们来看看com.mysql.jdbc.PreparedStatement在设置参数时的逻辑:publicsynchronizedvoidsetString(intparameterIndex,Stringx)抛出SQLException{if(x==null){this.setNull(parameterIndex,1);}else{this.checkClosed();intstringLength=x.length();字符串缓冲缓冲区;//判断是否需要转换if(this.connection.isNoBackslashEscapesSet()){booleanneedsHexEscape=this.isEscapeNeededForString(x,stringLength);对象参数AsBytes;byte[]parameterAsBytes;如果(!needsHexEscape){parameterAsBytes=null;buf=newStringBuffer(x.length()+2);//在参数前加上单引号buf.append('\'');buf.append(x);buf.append('\'');............字符串参数AsString=x;booleanneedsQuoted=true;如果(this.isLoadDataQuery||this.isEscapeNeededForString(x,stringLength)){//需要进行转译needsQuoted=false;buf=newStringBuffer((int)((double)x.length()*1.1D));buf.append('\'');//拼接单引号开始for(inti=0;i
