1. # Treat the incoming data as a string, and add a double quote to the automatically incoming data . For example: order by #user_id#, if the incoming value is 111, then the value when parsed into sql is order by "111", if the incoming value is id, the parsed sql is order by "id".
2. $ will display the incoming data directly in sql . For example: order by $user_id$, if the incoming value is 111, then the value when parsed into sql is order by user_id, if the incoming value is id, the parsed sql is order by id.
3. The # method can prevent sql injection to a great extent.
4. The $ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as incoming table names.
6. If you can use #, don't use $.
ps: In the use of mybatis, the usage of <![CDATA[]]> is also encountered. The statement in this symbol will not be treated as a string, but directly as a sql statement, such as executing a stored procedure .
1. # Treat the incoming data as a string, and add a double quote to the automatically incoming data . For example: order by #user_id#, if the incoming value is 111, then the value when parsed into sql is order by "111", if the incoming value is id, the parsed sql is order by "id".
2. $ will display the incoming data directly in sql . For example: order by $user_id$, if the incoming value is 111, then the value when parsed into sql is order by user_id, if the incoming value is id, the parsed sql is order by id.
3. The # method can prevent sql injection to a great extent.
4. The $ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as incoming table names.
6. If you can use #, don't use $.
ps: In the use of mybatis, the usage of <![CDATA[]]> is also encountered. The statement in this symbol will not be treated as a string, but directly as a sql statement, such as executing a stored procedure .