MyBatis of variable references in mapper file #{} vs. ${}
By default, using the #{} syntax, MyBatis produces preparedstatement statements, and safe settings PreparedStatement parameters, which mybatis perform the necessary security checks and escapes.
Example 1:Execute sql:Select * from emp WHERE name = #{employeename} parameter:employeename=>Smith SQL executed after parsing:Select * from emp where name =? Example 2:Execute Sql:select * from emp WHERE name = ${EmployeeName}parameter: EmployeeName The incoming value is: SmithSql:select performed after parsing * from emp where name = Smith
In summary, the ${} approach raises the issue of SQL injection, and it also affects the precompilation of SQL statements, so do not use ${if you can use #{} from a security and performance standpoint.
But under what circumstances should ${} be used?
Sometimes you may need to insert a string that does not make any modifications to the SQL statement directly. The ${} syntax should be used at this time.
For example, a field name in dynamic SQL, such as: ORDER by ${columnname}