parameterType (sql statement parameter types) of MyBatis Mapper profile parameters passed in two ways:
$ # {} And {}
This difference between the two:
(1)#{ }
select * from message where name=#{name}Precompiled dealing with are:
select * from message where name=?(2)${ }
select * from message where name=${name}Precompiled dealing with are:
select * from message where name='wangwu'Both of these are summarized:
(1) When any changes directly into a string of SQL statements to do, we will use the $ {}, such as incoming table names.
(2) We try to use the # {}, {} $ avoided.
Added: What is sql injection?
The so-called SQL injection, is inserted through the SQL command into the Web form is submitted the query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it is the use of existing applications, the (malicious) SQL command injection into the back-end database engine capacity of execution, it can enter the (malicious) SQL statements in a Web form to get on the site of a security vulnerability database, rather than to execute SQL statements in accordance with the designer intent.
Thank you! Please correct me! We grow together.