1. #将传入的数据都当成一个字符串, a double quotation mark is added to the automatically passed data. For example: ORDER by #user_id #, if the value passed in is 111, then the value parsed into SQL is Order by "111", and if the value passed in is an ID, then the parsed SQL is the ORDER by "id".
2. $ direct display of incoming data is generated in SQL. For example: ORDER by $user _id$, if the value passed in is 111, then the value to parse to SQL is Order by user_id, and if the value passed in is ID, the parsed SQL is the order by ID.
3. #方式能够很大程度防止sql注入.
The 4.$ method does not prevent SQL injection.
The 5.$ method is typically used to pass in database objects, such as incoming table names.
6. Do not use the $ in general.
MyBatis sorting when using the order by dynamic parameter requires attention, with $ instead of #
string substitution
order by ${COLUMNNAME}
This mybatis does not modify or escape strings.
Important: It is not safe to accept the output from the user and provide the invariant string in the statement. This can lead to potential SQL injection attacks, so you should not allow users to enter these fields, or usually escape and check themselves.
The difference between $ and # in MyBatis