The difference between the $ 1 and #
mybatis used ParameterType sql statement to pass parameters, when referring to these parameters in sql statement, there are two ways: #parameterName, $ parameterName.
The difference: Use #parameterName reference parameters of time, Mybatis will be passed as a parameter string, automatically add double quotes. $ ParameterName variable references, without any treatment, directly to the value in the splicing sql statement.
# Is a placeholder, $ splicing character.
2 How to prevent sql injection
Use # to prevent sql injection, $ injection attacks can not be avoided.
# Of reference parameters, mybatis will first of precompiled sql statement, and then reference value, can effectively prevent sql injection, to improve security. $ Parameters of reference, sql statement does not precompiled.