A conclusion
# {}: Placeholders, the benefits of preventing sql injection
$ {}: Sql splicing symbol
Second, the specific analysis
Dynamic SQL is one of powerful features mybatis, but also it is superior to one other ORM framework of the important reasons. mybatis Before precompiled sql statement, sql will be dynamic resolution, resolved to a BoundSql objects, but also for processing of dynamic SQL here. In dynamic SQL parsing stage, and $ # {} {} behave differently.
# {}: Resolved to a JDBC prepared statement (prepared statement) parameter markers.
For example, Mapper.xml sql statement as follows:
select * from user where name = #{name};Dynamic resolves to:
select * from user where name = ?; # {A} it is interpreted as a placeholder parameter?.
And $ {} is merely a pure string broken Alternatively, the variable will be replaced in the dynamic SQL parsing stage.
For example, Mapper.xml the following sql:
select * from user where name = ${name};When we pass the parameters as "Jack", to resolve the above sql as follows:
select * from user where name = "Jack";Before the pre-compiled SQL statements no longer contain variables, the constant data is already complete. The resulting sum, $ {} in the stages of the replacement variable is dynamic SQL parsing stage, and {#} variable is replaced in the DBMS.
Third, usage
1, can be used to place # {} {} with #
This is to first consider the performance of the same can be reused precompiled sql. Secondly, before $ {} precompiled variables have been replaced, which would present problems sql injection. For example, the following sql:
select * from ${tableName} where name = #{name}If our parameter tableName to user; delete user; -, then after dynamic SQL parsing stage, before the precompiled sql will become:
select * from user; delete user; -- where name = ?;- the statement following as a comment, not work, so the original secretly a query contains a SQL table to delete data.
2. The table name as a variable, you must use $ {}
This is because the table name is a string, it will take a single-quotes 'when replacement string using sql placeholder', which can lead to sql syntax error, for example:
select * from #{tableName} where name = #{name};After the precompiled sql becomes:
select * from ? where name = ?;Suppose we passed in parameter is tableName = "user", name = "Jack", then the variable substitution in the placeholder after, sql statement becomes:
select * from 'user' where name='Jack';Above sql statement is a syntax error, the table name can not single quotes '' (note the quotes `` anti is possible).
Four, sql precompiled
1. Definitions:
refers to a precompiled sql database driver to compile the sql statement before sending the parameters to the DBMS and the sql statement, when performing such a DBMS sql, there is no need to recompile.
2. Why do you need a precompiled
in JDBC PreparedStatement using objects to abstract a prepared statement, using precompiled. Pre-compiler can optimize the execution stage of sql. In most cases after the precompiled sql can be executed directly, do not need to recompile the DBMS, sql more complex, the greater the complexity of the compiler, the compiler pre-stage multiple operations may be combined into one operation. Precompiled statement objects can be reused. The sql PreparedStatement object produced after the pre-compiled cached, the next for the same sql, can directly use this cache PreparedState object. mybatis By default, all the sql will be precompiled.