MyBatis #{} and ${} in the difference between the detailed _java

Recently in the use of MyBatis, before using Ibatis, the overall is similar, but still encountered a lot of problems, again recorded.

First of all to introduce the next MyBatis #{} and ${}, the difference is described in detail as follows:

1. #将传入的数据都当成一个字符串, a double quotation mark is added to the data that is automatically passed in. For example: ORDER by #user_id #, if the value passed in is 111, then the value that is parsed into SQL will be "111", and if the value passed is an ID, the SQL that is parsed is the order by "id".

2. $ to display incoming data directly in SQL. For example, the order by $user _id$, if the value passed in is 111, then the value that is parsed into SQL is user_id, and if the value passed in is an ID, the parsed SQL is the order by ID.

3. #方式能够很大程度防止sql注入.

The 4.$ method does not prevent SQL injection.

5.$ methods are typically used to pass in database objects, such as incoming table names.

6. The general can use the # is not to use $.

MyBatis when ordering by dynamic parameters is used in sorting by using the $ instead of #

String substitution

By default, syntax formatted with #{} causes MyBatis to create a preprocessed statement property and set a safe value for the background (for example,?). This is a safe, fast and preferred approach, and sometimes you just want to insert an immutable string directly into the SQL statement. For example, like order BY, you can use this:
ORDER BY ${columnname}

Here MyBatis does not modify or escape strings.

Important: It is not safe to accept the content that is output from the user and provide the invariant string in the statement. This can lead to potential SQL injection attacks, so you should not allow users to enter these fields, or typically escape and check themselves.

Description of MyBatis itself:

String substitution
By default, using the #{} syntax would cause MyBatis to generate PreparedStatement properties and S ET values safely against the PreparedStatement parameters (e.g.?). While the is safer, faster and almost always preferred, sometimes your just want to directly inject a string unmodified in to the SQL Statement. For example, for order BY, your might use something like this: ORDER by
${columnname} here
MyBatis won ' t modify or Escape the string.

As you can see from the above:

1. Use the #{} format syntax to use Preparement statements to securely set values in MyBatis, executing SQL similar to the following:

PreparedStatement PS = conn.preparestatement (SQL);

The advantage of doing this is that it is safer, faster, and usually the preferred approach.

2. But sometimes you just want to insert an immutable string directly into the SQL statement. For example, like order BY, you can use this:

MyBatis does not modify or escape the string at this time.

This approach is similar to the following:

Statement st = Conn.createstatement ();

The disadvantages of this approach are:

Accepting content that is output from the user in this manner and supplying the invariant string in the statement is unsafe and can result in potential SQL injection attacks, so either the user is not allowed to enter these fields, or they are escaped and validated by themselves.