[DB] [mybatis] variable reference method in MyBatis mapper file # {}and $ {}

Differences between variable reference methods # {} and $ {} in MyBatis er File

By default, MyBatis uses the # {} syntax to generate a PreparedStatement statement and set the PreparedStatement parameter safely. In this process, MyBatis performs necessary security checks and escaping.
Example 1:
Execute SQL: Select * from emp where name =#{ employeeName}
Parameter: employeeName => Smith
SQL statement executed after parsing: Select * from emp where name =?
Execute SQL: Select * from emp where name =$ {employeeName}
Parameter: the input value of employeeName is Smith.
SQL statement executed after parsing: Select * from emp where name = Smith

In summary, the $ {} method will cause SQL Injection problems and affect SQL statement pre-compilation. Therefore, from the perspective of security and performance, if yes, do not use $ {}

But under what circumstances will $ {} be used?

Sometimes you may need to insert a string without any modification into the SQL statement. In this case, the $ {} syntax should be used.

For example, field names in dynamic SQL, such as ORDER BY $ {columnName}

Note: When the $ {} parameter is used as the field name or table name, you must specify statementType as "STATEMENT", for example:

<Select id = "queryMetaList" resultType = "Map" statementType = "STATEMENT"> Select * from emp where name =$ {employeeName} order by $ {columnName} </select>