# And $ in mybatis,
# And $ in mybatis 1. # When the incoming data is treated as a string, a double quotation mark is added to the automatically passed data. For example, order by # user_id #. If the input value is 111, the value parsed to SQL is order by "111". If the input value is id, the parsed SQL statement is order by "id ".
2. $ directly display the incoming data and generate it in SQL. For example, order by $ user_id $. If the input value is 111, the value parsed to SQL is order by 111. If the input value is id, the parsed SQL statement is order by id.
3. # The method can prevent SQL injection to a great extent.
4. $ cannot prevent SQL injection.
5. The $ method is generally used to input database objects, such as the input table name.
6. Generally, you can use # instead of $.
Note the use of the order by dynamic parameter in MyBatis sorting. use $ instead #
String replacement
By default, the syntax in the format of # {} will cause MyBatis to create the pre-processing statement attribute and set a safe value (such as?) for the background ?). This is safe and quick and preferred practice. Sometimes you just want to insert a non-changing string directly in the SQL statement. For example, you can use order by as follows:
Order by $ {columnName}
Here, MyBatis does not modify or escape strings.
Important: it is not safe to accept the content output from the user and provide it to the constant strings in the statement. This can lead to potential SQL injection attacks. Therefore, you should not allow users to enter these fields, or escape and check them manually.