The difference between #{} and ${}
#{} is a placeholder, pre-compilation processing;
${} is a splicing character, string replacement, no pre-compilation processing.
When Mybatis processes #{}, #{} incoming parameters are passed in as strings, and #{} in SQL will be replaced with? Signs, and the set method of PreparedStatement will be called to assign values.
When Mybatis is processing, the original value is passed in, that is, {} is replaced with the value of the variable, which is equivalent to the replacement of the Statement compiled variable in JDBC; #{} The corresponding variable is automatically added with single quotes ``; after the variable is replaced, The variable corresponding to $() will not be enclosed in single quotes''
#{} can effectively prevent SQL injection and improve system security;
${} cannot prevent SQL injection
The variable substitution of #{} is in the DBMS; the variable substitution of ${} is outside the DBMS.