<select id="getByIds" parameterType="list" resultType="GoodsOperationRecordPO">
SELECT * FROM tb_goods_operation WHERE id in
<foreach item="item" index="index" collection="opIds" open="(" separator="," close=")">
#{item}
</foreach>
ORDER BY id DESC LIMIT #{pageSize} OFFSET #{offset}
</select>
这三个标签的作用同Java里面的switch语句,等价于switch case default,用于多个取其中一个条件的情况下。
的作用是用于多个可选的情况下,可全要、可部分也可都不要。这个组合比上述switch的组合有个优点就是,它可以自动去除and关键字。比如:
```
```
虽然第一个if里面有个and,当所有的if都成立时,where标签会自动去除第一个条件前面的and,因为它懂得,而switch组合就不懂了。它往往需要在前面加个没有and的查询条件,比如下:
```
```
### #{}和${}的区别
引用Stack Overflow上的一个回答
> By default, using the #{} syntax will cause MyBatis to generate PreparedStatement properties and set the values safely against the PreparedStatement parameters (e.g. ?). While this is safer, faster and almost always preferred, sometimes you just want to directly inject a string unmodified into the SQL Statement. For example, for ORDER BY, you might use something like this:
> ORDER BY ${columnName}
> Here MyBatis won't modify or escape the string.
> NOTE It's not safe to accept input from a user and supply it to a statement unmodified in this way. This leads to potential SQL Injection attacks and therefore you should either disallow user input in these fields, or always perform your own escapes and checks.
通俗的讲就是#{}等价于Java中的PreparedStatement所产生的效果,它具有更快、更安全的效果,但是有时候,可能需要直接插入,不经过任何通配符或者预处理。就可以直接使用${},这种方式存在被注入的风险。
### 参考
- [Dynamic SQL](http://www.mybatis.org/mybatis-3/dynamic-sql.html)
- [mybatis 多参数 list和String](https://blog.csdn.net/u010913106/article/details/50538379)
- [When to use $ vs #?](https://stackoverflow.com/questions/39954300/when-to-use-vs)
