Anurag Ambuj
Reputation: 121
Dynamic column name compared with value in where clause using MyBatis
Is it possible to use something like
SEARCH_QUERY = "select * from info where #{columnName}=\"#{columnValue}\"";
using MyBatis 3 ?
The columnName needs to be dynamic.
Thanks!
Upvotes: 0
Views: 1063
Answers (1)
Roman-Stop RU aggression in UA
Reputation: 15861
When you use syntax like #columnValue mybatis will create prepared statement and will bind the variable for you. This has several consequences:
- you don't need to put quotes around
#columnValue - you don't need to escape values passed
#can only be used where the parameter in JDBC query is allowed. So you can't use it to generate dynamic column name
If you want to generate dynamic query use $columnName instead. The complete query would look like:
select * from info where ${columnName}=#{columnValue}
Important thing to remember is that ${columnName} is put to query verbatim very much like string concatenation if you would use JDBC directly so it is vulnerable to the SQL injection if columnName is something provided by user.
Upvotes: 4
Related Questions
- MyBatis - how to create w dynamic WHERE Clause
- can Mybatis support mapping the dynamic columns to an map field of a bean?
- Dynamic column name in WHERE clause using MyBatis
- How to dynamically select a resultMap based on the value of a column in MyBatis
- MyBatis: compare String value using dynamic query
- How to map two variables from SQL Query - MyBatis
- mybatis mapper search across multiple columns using same param
- How to map query for iBATIS with parameterized column in select clause?
- How to pass dynamic fields and values using mybatis 3
- Dynamic Select SQL statements with MyBatis