MyBatis Mapper File reference variable #{} vs. ${} difference
By default, using the #{} syntax, MyBatis is generated in PreparedStatement. And the security of the set PreparedStatement parameters, the process of MyBatis will carry out the necessary security checks and escapes.
Demo Sample 1:
Run Sql:select * from emp WHERE name = #{employeename}
Number of references: Employeename=>smith
Parsed after running Sql:select * from emp where name =?
Run Sql:select * from emp WHERE name = ${employeename}
Number of references: EmployeeName the incoming value is: Smith
Sql:select after parsing * from EMP where name =smith
In summary, the ${} approach raises the issue of SQL injection and also affects the precompilation of SQL statements at the same time. So from a security and performance point of view. Do not use ${} if you can use #{}
But ${} under what circumstances to use it?
There may be times when you need to insert a string into an SQL statement that does not make any changes. The ${} syntax should be used at this time.
For example, a field name in dynamic SQL, such as: ORDER by ${columnname}
Note: When using ${} as the field name or table name, specify statementtype as "STATEMENT", such as:
Copyright notice: This article blog original articles, blogs, without consent, may not be reproduced.
[DB] [MyBatis] MyBatis Mapper File reference variable #{} vs. ${} difference