# Equivalent to the data in quotes, equivalent to $ display data directly
# Incoming data as a string, the incoming data will automatically add a double quotation mark. Such as: order by # user_id #, if the incoming value is 111, then when the value of the parsed into sql order by "111", if the incoming value id, is then parsed into sql order by "id".
the incoming data are directly displayed in the sql generated. Such as: orderby direct incoming display data generated in the sql. Such as: orderbyuser_id $, if the incoming value is 111, then the value of order by user_id when parsed into sql, if the incoming value is id, the sql is parsed into by the above mentioned id the Order.
# Manner can be prevented to a large extent sql injection.
4. Sql injection mode can not be prevented. The method can not prevent Sql injection. The way generally used for incoming database objects, such as pass table.
6. Usually can not use on $ #.
Using MyBatis sort order when required by the dynamic attention parameters, rather than by $ #
Replace the string
by default, use # {} syntax will cause MyBatis to create a prepared statement attribute and use it as a background set the security value (for example?). While this is safer, faster and almost always preferred, sometimes you just want to insert a string does not change directly in SQL statements. For example, as ORDER BY, so that you can use:
the ORDER BY $ {columnName}
Here MyBatis will not modify or escape the string.
IMPORTANT: receiving content from a user and provide it to a statement unmodified in doing so is unsafe. This leads to potential SQL injection attacks, and therefore you should not allow the user to enter these fields, or always perform your own escapes and checks
***
# {} statement is used to query CRUD
$ {} are used for fuzzy search (plus %% remember oh)