Coding With Fun
Home Docker Django Node.js Articles FAQ

The difference between the two in MyBatis

May 16, 2021 MyBatis

#{} Is Precompiled Processing, Like The Data Passed In Will Be Added A "" The incoming data is used as a string, Will Automatical Pass in the data with a double quote

${} is string replacement. R eplace placeholders directly. The $method is typically used for incoming database objects, such as incoming table names.

Using $'s results in sql injection. W hat is SQL Injection? For example, select s from user where id s $'value'

Value should be a value. A nd then if the other person is passing over is 001 and name s tom. D oesn't that mean an extra condition? W rite the SQL statement directly in. W hat if it's an offensive statement? 001; drop table user, delete the table directly

So in order to prevent SQL injection, you can use the .

If you don't have to use ${, be careful to prevent SQL injection problems, you can manually determine incoming variables, filter them, and generally SQL injections will enter a very long SQL statement