1. # Treat the incoming data as a string, and add a double quote to the automatically incoming data. For example: order by #user_id#, if the incoming value is 111, then the value when parsed into sql is order by "111", if the incoming value is id, the parsed sql is order by "id".
2. $ will display the incoming data directly in sql. For example: order by $user_id$, if the incoming value is 111, the value when parsed into sql is order by user_id, if the incoming value is id, the parsed sql is order by id.
3. #Method It can prevent SQL injection to a large extent.
4. The $ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as table names.
6. Generally, if you can use #, don’t use $.
When using order by dynamic parameters when sorting MyBatis, you need to pay attention to replacing them with $ instead of #
strings.
By default, using a syntax of the form #{} causes MyBatis to create a prepared statement attribute and set a safe value (such as ? ) in the context of it. This is safe, fast and preferred, sometimes you just want to insert an unaltered string directly into the SQL statement. For example, like ORDER BY, you can use it like this:
ORDER BY ${columnName}
Here MyBatis will not modify or escape the string.
IMPORTANT: It is not safe to accept output from the user and supply it to a constant string in a statement. This leads to potential SQL injection attacks, so you shouldn't allow users to enter these fields, or generally escape and check them yourself.
Instructions for mybatis itself:
String Substitution
By default, using the #{} syntax will cause MyBatis to generate PreparedStatement properties and set the values safely against the PreparedStatement parameters (e.g. ?). While this is safer, faster and almost always preferred, sometimes you just want to directly inject a string unmodified into the SQL Statement. For example, for ORDER BY, you might use something like this:
ORDER BY ${columnName}
Here MyBatis won't modify or escape the string.
NOTE It's not safe to accept input from a user and supply it to a statement unmodified in this way. This leads to potential SQL Injection attacks and therefore you should either disallow user input in these fields, or always perform your own escapes and checks.
From the above it can be seen that:
1. Use the #{} format syntax to use the Prepare statement in mybatis to safely set the value, and execute sql similar to the following:
PreparedStatement ps = conn.prepareStatement(sql); ps.setInt(1,id);
The benefits of this are: safer, faster, and generally preferred.
Moreover, the sql in the #{} format can be precompiled, and the sql syntax can be saved in memory without reassembling the sql syntax.
2. But sometimes you just want to insert an unchanged string directly in the SQL statement. For example, like ORDER BY, you can use it like this:
ORDER BY ${columnName}
MyBatis will not modify or escape strings at this time.
This way is similar to:
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery(sql);
The downsides of this approach are: Accepting the output from the user in this way and supplying it to an immutable string in the statement is unsafe and leads to a potential SQL injection attack, so either the user is not allowed to enter these fields, or Escape and check by yourself.