The difference between #{} and ${in MyBatis and the difference between # and $ _java

Recently in the use of MyBatis, before using Ibatis, the overall is similar, but still encountered a lot of problems, again recorded,

For example, with #{}, and ${} to the difference between the parameters,

Using # Incoming parameter is, SQL statement parsing is added "", such as SELECT * FROM table where name = #{name}, the incoming name is Xiao Li, then the last print is

SELECT * FROM table where name = ' Xiao Li ', is to parse it as a string, so the benefit of $ is quite obvious, #{} can prevent SQL injection, if you pass in the parameter is single quotes ', then if you use ${}, this way will be an error ，

Another scenario is that if you want to do a dynamic sort, such as order by column, this time you must use ${}, because if you use the #{}, the print will be

SELECT * FROM table order BY ' name ', which is useless,

At the moment, you can use # to not use $,

The difference between # and $ in the MyBatis

1. #将传入的数据都当成一个字符串, a double quotation mark is added to the data that is automatically passed in. For example: ORDER by #user_id #, if the value passed in is 111, then the value that is parsed into SQL will be "111", and if the value passed is an ID, the SQL that is parsed is the order by "id".

2. $ to display incoming data directly in SQL. For example, the order by $user _id$, if the value passed in is 111, then the value that is parsed into SQL is user_id, and if the value passed in is an ID, the parsed SQL is the order by ID.

3. #方式能够很大程度防止sql注入.

The 4.$ method does not prevent SQL injection.

5.$ methods are typically used to pass in database objects, such as incoming table names.

6. The general can use the # is not to use $.

MyBatis when ordering by dynamic parameters is used in sorting by using the $ instead of #

String substitution

By default, syntax formatted with #{} causes MyBatis to create a preprocessed statement property and set a safe value for the background (for example,?). This is a safe, fast and preferred approach, and sometimes you just want to insert an immutable string directly into the SQL statement. For example, like order BY, you can use this:

ORDER BY ${columnname}

Here MyBatis does not modify or escape strings.

Important: It is not safe to accept the content that is output from the user and provide the invariant string in the statement. This can lead to potential SQL injection attacks, so you should not allow users to enter these fields, or typically escape and check themselves.

A simple summary of the difference between $ and # in MyBatis

Not long ago, someone came to our company for an interview, our manager asked the question, I was also a little, so I went to Baidu some.

In fact, the difference is very simple, for example, you will understand. Write a sentence sql-for example: SELECT * from user_role where user_code = "100";

In this sentence, you need to write a select * from ${tablename} where User_code = #{usercode}

So, the $ character is spelled directly into SQL, #符则会以字符串的形式 stitching with SQL.