1. Placeholder and parameterType of sql statement in mybatis
#{} and parameterType
Represents a placeholder, input parameters to the placeholder, mybatis automatically converts the java type and jdbc type, the programmer does not need to consider the type of the parameter. For example, when you pass in a string, mybatis will automatically add single quotes around the parameters to the SQL statement.
If a simple type parameter is passed in #{}, for example: parameterType="int", the variable name in #{} is arbitrary
If #{} receives the parameter of the pojo data type, for example: parameterType="cn03.mybatis.pojo.User", then #{} will parse the attribute value of the pojo, and the variable name in #{} must match the attribute of the pojo Variable name, can be understood as pass-by operation
${} and parameterType
Complete the splicing of sql, receive parameters through ${}, and splice the content of the parameters in sql without any modification. So it cannot prevent sql injection
If a simple type parameter is passed in ${}, for example: parameterType="int", the variable name in ${} is arbitrary
If ${} receives a parameter of the pojo data type, for example: parameterType="cn03.mybatis.pojo.User", then ${} will parse the attribute value of the pojo, and the variable name in ${} must match the attribute of the pojo Variable name, can be understood as pass-by operation