[DB] [MyBatis] MyBatis Mapper File reference variable #{} vs. ${} difference

MyBatis Mapper File reference variable #{} vs. ${} difference

By default, using the #{} syntax, MyBatis is generated in PreparedStatement. And the security of the set PreparedStatement parameters, the process of MyBatis will carry out the necessary security checks and escapes.

Demo Sample 1:
Run Sql:select * from emp WHERE name = #{employeename}
Number of references: Employeename=>smith
Parsed after running Sql:select * from emp where name =?
Run Sql:select * from emp WHERE name = ${employeename}
Number of references: EmployeeName the incoming value is: Smith
Sql:select after parsing * from EMP where name =smith

In summary, the ${} approach raises the issue of SQL injection and also affects the precompilation of SQL statements at the same time. So from a security and performance point of view. Do not use ${} if you can use #{}

But ${} under what circumstances to use it?

There may be times when you need to insert a string into an SQL statement that does not make any changes. The ${} syntax should be used at this time.

For example, a field name in dynamic SQL, such as: ORDER by ${columnname}

Note: When using ${} as the field name or table name, specify statementtype as "STATEMENT", such as:

Copyright notice: This article blog original articles, blogs, without consent, may not be reproduced.

[DB] [MyBatis] MyBatis Mapper File reference variable #{} vs. ${} difference