meaning
# {}: A placeholder
{} $: As splicing character
the difference:
usage
# {}: Parameter placeholder? That precompiled sql
$ {} Is the replacement string, string concatenation
Implementation process
# {}: Dynamic analysis -> precompiled -> Run
$ {}: Dynamic analysis -> Compiler -> Run
Variable Substitution
# {}: Variable substitution is in the DBMS (database management system), the corresponding variables will automatically add '
{} $: Variable substitution DBMS outside it, will not variables corresponding with ''
sql injection
{#} Sql injection can be prevented
$ {} May not prevent sql injection
skills
Whether a single parameter or multiple parameters, all recommended @param ( "")
# {} Can place as much as possible using the # {}, {} decrease $
Table name as a parameter must be $ {}
When the order by, must $ {}
When use is to be noted $ {} with or without single quotation marks