MyBatis 3 - get SQL string from mapper

java sql mybatis
Lof picture Lof · Oct 18, 2015 · Viewed 17.3k times · Source

I'd like to use MyBatis3 only to produce SQL string (using the xml mapping) but the SQL i obtain is not valid.

Example, I obtain the sql string:

SELECT * FROM USER WHERE NAME = john

In this sql isn't present the ' char sorrounding the string value john

in mybatis.xml:

...
    <mappers>
        <mapper resource="sql1.xml"/>
    </mappers>
...

sql1.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">

   <mapper namespace="sql1">
       <select id="select1" parameterType="map" resultType="String" >
           SELECT * FROM USERS
           WHERE 
           name LIKE ${name} AND num = ${number}
       </select>
   </mapper>

in MyBatisSql.java:

SqlSessionFactory sessionFactory = ConnectionFactory.getSqlSessionFactory();
Configuration configuration = sessionFactory.getConfiguration();

Map pars = new HashMap<String, Object>();
pars.put("name", "john");    
pars.put("number", 1345);

MappedStatement ms = configuration.getMappedStatement("sql1.select1);   
BoundSql boundSql = ms.getBoundSql(params);
String sql = boundSql.getSql();
System.out.println(sql);

the result is

SELECT * FROM USERS
WHERE 
name LIKE john AND num = 12345

in this SQL, the string john, isn't enclosed by the ' char so it's not a valid SQL (my purpose is only to produce valid SQL string using myBatis). I'd like to have:

SELECT * FROM USERS
WHERE 
name LIKE 'john' AND num = 12345

thanks

Answer

vahapt picture vahapt · Oct 18, 2015

You should use #{name} instead of ${name}.

The sample below will generate a valid SQL

<mapper namespace="sql1">
    <select id="select1" parameterType="map" resultType="String" >
        SELECT * FROM USERS
        WHERE 
        name LIKE #{name} AND num = #{number}
    </select>
</mapper>

MyBatis directly copies and pastes the string parameter if you use $ character. On the other hand it uses parameter binding if you use # character.

You should then execute your sql using selectMap, selectList or selectOne,

List<String> resultSet = sessionFactory.openSession().selectList("sql1.select1", pars);

This call will automatically bind the parameters to the statement and execute it.

WARNING:

<select id="select1" parameterType="map" resultType="String" >
    SELECT * FROM USERS
        WHERE 
        name LIKE #{name} AND num = #{number}
</select>

might fail to execute since MyBatis cannot map multiple columns (SELECT *) to a single string (resultType="String") two possible corrections to the query is shown below:

<!--Solution One-->
<select id="select1" parameterType="map" resultType="String" >
    SELECT name FROM USERS
        WHERE 
        name LIKE #{name} AND num = #{number}
</select>

<!--Solution Two-->
<select id="select1" parameterType="map" resultType="java.util.LinkedHashMap" >
    SELECT * FROM USERS
        WHERE 
        name LIKE #{name} AND num = #{number}
</select>

For solution two you should execute mybatis query using the java code below:

List<Map<?, ?>> resultSet = sessionFactory.openSession().selectList("sql1.select1", pars);

Details of Why getBoundSql Returns a Query with ?:

Parameter binding is done at driver level so you will not get an sql string like this

SELECT * FROM USERS
WHERE 
name LIKE 'john' AND num = 12345

Instead you'll get sql query template which is ready for parameter binding,

SELECT * FROM USERS
    WHERE 
    name LIKE ? AND num = ?

Adding parameters into sql string allows sql injection. Safe way is to use parameter binding method provided with SQL Driver and MyBatis always uses parameter binding.

Suppose that you manually created your sql command as string, and suppose that I'm a malicius user trying to access your data. I can write 

john' or ''='

So this will generate the sql command below:

SELECT * FROM USERS
WHERE 
name LIKE 'john' or ''='' AND num = 12345

Additional Benefits of Parameter Binding

The second benefit of parameter binding is that it allows prepared statements. Suppose that you need to execute same sql 1000 times with different parameters.

If you generate sql strings with parameters bound,

SELECT * FROM USERS WHERE name LIKE 'john' AND num = 12345;
SELECT * FROM USERS WHERE name LIKE 'foo' AND num = 67890;

database server will need to parse each sql command one by one and then execute them.

With parameterized sql queries, 

SELECT * FROM USERS WHERE name LIKE ? AND num = ?

SQL driver caches the query so parsing is done only once and then it binds different parameters to the same SQL command.

Update: Using BoundSql Outside of MyBatis

You can still use the parameterized sql (boundSql) with an another library or Java's java.sql.Connection. Below is an example:

Connection myConnection;
PreparedStatement preparedStatement = myConnection.prepareStatement(boundSql);
preparedStatement.setString(1, "john"); //First parameter starts with 1 not 0!
preparedStatement.setInt(2, 12345);
ResultSet results = preparedStatement.executeQuery();

Related questions

MyBatis Batch Insert/Update For Oracle

I've recently started learning to use myBatis.I am now facing such a scenario, I need to constantly fetch a new list of Objects through WebService, then for this list, I need to insert/update each object into the oracle …

Read More
How to Iterate through HashMap in MyBatis foreach?

I'm trying to produce a sql which is as below in mybatis. SELECT COL_C FROM TBLE_1 WHERE (COL_A, COL_B) in ( ('kp','kar'),('srt','sach')); And my input parameter type is HashMap. Now How do I generate SQL …

Read More
MyBatis executing multiple sql statements in one go, is that possible?

i was wondering if it is possible to execute multiple sql statements in 1 go. For example the scenario that i want to delete rows from multiple tables, is there a way i can do things like.. <delete id="delete" …

Read More