add ${} logic.

Author: ralgond

README.md

@@ -30,3 +30,34 @@ INSERT INTO fruits (name, category, price) VALUES ('Bob', 'B', 200)
 refer to [test_mybatis.py](https://github.com/ralgond/mybatis-py/blob/main/test/test_mybatis.py)、[test2.xml](https://github.com/ralgond/mybatis-py/blob/main/mapper/test.xml)
 
 ## Dynamic SQL
+### ${}和#{}的区别
+#{}是一个占位符，为prepared statement而存在，在MapperManager处理后会变成字符'?'；
+${}表示简单的字符串替换。下面一个例子能说明它的区别：
+```python
+from mybatis import *
+
+mm = MapperManager()
+
+'''
+test.xml的内容如下：
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+<mapper>
+    <select id="testStringReplace">
+        SELECT * from fruits_${date} where id=#{id}
+    </select>
+</mapper>
+'''
+mm.read_mapper_xml_file("mapper/test.xml")
+
+sql, param_list = mm.select("testStringReplace", {'id':1, 'date':"20241204"})
+print(sql, param_list)
+```
+结果是
+```bash
+SELECT * from fruits_20241204 where id=? [1]
+```
+可以看见${date}被替换成"20241204"，而#{id}替换成了'?'，同时param_list中只有一个参数值为1。
+
+基于安全性的考虑，为了防止SQL注入，建议只要能使用#{}就不要使用${}，除非你有足够的把握。

example.py

@@ -39,7 +39,10 @@ def main():
     # sql, param_list = mm.select("testTrim", {'names': [1, 2, 3, 4]})
     # print(sql, param_list)
 
-    sql, param_list = mm.update("testSet", {'category': "banana", "price": 500, "name":"a"})
+    # sql, param_list = mm.update("testSet", {'category': "banana", "price": 500, "name":"a"})
+    # print(sql, param_list)
+
+    sql, param_list = mm.select("testStringReplace", {'id':1, 'date':"20241204"})
     print(sql, param_list)
 
     # cur.execute(sql, param_list, multi=True)
@@ -49,7 +52,7 @@ def main():
     # res = cur.fetchall()
     # print(res)
 
-    print(globals()['A'])
+    # print(globals()['A'])
 
 if __name__ == "__main__":
     main()

mapper/test.xml

@@ -147,4 +147,8 @@
         WHERE
         name = #{name}
     </update>
+
+    <select id="testStringReplace">
+        SELECT * from fruits_${date} where id=#{id}
+    </select>
 </mapper>

mybatis/mapper_manager.py

@@ -6,6 +6,7 @@ class MapperManager:
     def __init__(self):
         self.id_2_element_map = {}
         self.param_pattern = re.compile(r"#{([a-zA-Z0-9_\-]+)}")
+        self.replace_pattern = re.compile(r"\${([a-zA-Z0-9_\-]+)}")
 
     def read_mapper_xml_file(self, mapper_xml_file_path):
         root = et.parse(mapper_xml_file_path).getroot()
@@ -211,6 +212,16 @@ def _to_prepared_statement(self, ret, param) -> Tuple[str, list]:
 
         return (ret, ret_param)
 
+    def _to_replace(self, ret, param) -> str:
+        matches = self.replace_pattern.findall(ret)
+        for match in matches:
+            value = ""
+            if match in param:
+                value = param[match]
+            ret = ret.replace("${"+match+"}", value)
+        return ret
+
+
     def select(self, id: str, params: dict) -> Tuple[str, list]:
         if id not in self.id_2_element_map:
             raise Exception("Missing id")
@@ -226,7 +237,9 @@ def select(self, id: str, params: dict) -> Tuple[str, list]:
             ret += self.parse_element(child, param0)
             ret += child.tail
 
-        return self._to_prepared_statement(ret, params)
+        sql, sql_param = self._to_prepared_statement(ret, params)
+        sql = self._to_replace(sql, params)
+        return (sql, sql_param)
 
     def update(self, id: str, params: dict) -> Tuple[str, list]:
         if id not in self.id_2_element_map:
@@ -243,7 +256,9 @@ def update(self, id: str, params: dict) -> Tuple[str, list]:
             ret += self.parse_element(child, param0)
             ret += child.tail
 
-        return self._to_prepared_statement(ret, params)
+        sql, sql_param = self._to_prepared_statement(ret, params)
+        sql = self._to_replace(sql, params)
+        return (sql, sql_param)
 
     def delete(self, id: str, params: dict) -> Tuple[str, list]:
         if id not in self.id_2_element_map:
@@ -260,7 +275,9 @@ def delete(self, id: str, params: dict) -> Tuple[str, list]:
             ret += self.parse_element(child, param0)
             ret += child.tail
 
-        return self._to_prepared_statement(ret, params)
+        sql, sql_param = self._to_prepared_statement(ret, params)
+        sql = self._to_replace(sql, params)
+        return (sql, sql_param)
 
     def insert(self, id: str, params: dict) -> Tuple[str, list]:
         if id not in self.id_2_element_map:
@@ -277,4 +294,6 @@ def insert(self, id: str, params: dict) -> Tuple[str, list]:
             ret += self.parse_element(child, param0)
             ret += child.tail
 
-        return self._to_prepared_statement(ret, params)
+        sql, sql_param = self._to_prepared_statement(ret, params)
+        sql = self._to_replace(sql, params)
+        return (sql, sql_param)

setup.py

@@ -2,7 +2,7 @@
 
 setup(
     name='mybatis',
-    version='0.0.1',
+    version='0.0.2',
     description='A python ORM like mybatis.',
     long_description=open('README.md').read(),
     long_description_content_type='text/markdown',  # 如果你使用的是Markdown格式的README
@@ -31,4 +31,4 @@
     license='Apache-2.0',
     test_require=['pytest'],
     tests_require=['pytest'],
-)
+)