MyBatis of variable references in mapper file #{} vs. ${}
By default, using the #{} syntax, MyBatis produces preparedstatement statements, and safe settings PreparedStatement parameters, which mybatis perform the necessary security checks and escapes.
Example 1:
Execute Sql:select * from emp WHERE name = #{employeename}
Parameter: Employeename=>smith
Parsed after executing sql:select * from emp where name =?
Execute Sql:select * from emp WHERE name = ${employeename}
Parameter: EmployeeName The incoming value is: Smith
Sql:select executed after parsing * from EMP where name =smith
In summary, the ${} approach raises the issue of SQL injection, and it also affects the precompilation of SQL statements, so do not use ${if you can use #{} from a security and performance standpoint.
But under what circumstances should ${} be used?
Sometimes you may need to insert a string that does not make any modifications to the SQL statement directly. The ${} syntax should be used at this time.
For example, a field name in dynamic SQL, such as: ORDER by ${columnname}
Note: When using the ${} parameter as the field name or table name, specify StatementType as "STATEMENT"
MyBatis of variable references in mapper file #{} vs. ${}