simply say
# {} Is pre-compiled, it is safe
$ {} It is not pre-compiled, taking only the value of a variable, non-secure, there sql injection.
If you use the mapper file
ORDER BY #{columnName}
Sql statement will lead to the final argument to pay more quotes, for example,
select * from test order by 'update_time';
To use this
ORDER BY ${columnName}
But note that this will lead to a potential SQL injection attacks, so you need to check yourself and escape