When mybatis query parameter may be transmission mode # or $ {} {}.
The difference is:
a, # {} When the reference will pass a string parameter passed as is, for the string in quotation marks. And $ {} will not quotes Example:
select * from user where name = #{name} //如果传的name是"小明"
对应的sql执行的语句就是
select * from user where name = "小明"
select * from user where name = ${name}
对应执行
select * from user where name = 小明 //这中查询条件对应的值就一般都会用#,不加”“的话sql无法执行
${}一般用来传表名、字段名等数据库对象,如:order by ${}
Second, the # {} can to a large extent prevent sql injection, while $ {} can not prevent sql injection, so use # {} when you try to use the # {}.
Why # {} to prevent sql injection:
# {} in the bottom mybatis use of PreparedStatement is precompiled, the incoming parameters will be displayed in the form because the input sql sql only works in compile time, when sql? after the pre-compiler, parameters can only be passed parameters, will not participate in sql statement generation, and $ {} are not using precompiled, passing parameters and sql direct splicing, which will generate sql injection vulnerabilities .
No} {$ precompiled cause injection sql example:
select * from user where name = ${name}
For such sql statement, if the parameter is a transfer ** name = 'sam or 1 = 1' **
then use the {} $ sql is generated corresponding to:
select * from user where name = sam or 1=1
This will check out all of the data that can not play some role, it will bring more problems.
