Coding With Fun
Home Docker Django Node.js Articles FAQ

The difference between the two in MyBatis


May 16, 2021 MyBatis



#{} Is Precompiled Processing, Like The Data Passed In Will Be Added A "" The incoming data is used as a string, Will Automatical Pass in the data with a double quote


${} is string replacement. R eplace placeholders directly. The $method is typically used for incoming database objects, such as incoming table names.

Using $'s results in sql injection. W hat is SQL Injection? For example, select s from user where id s $'value'


Value should be a value. A nd then if the other person is passing over is 001 and name s tom. D oesn't that mean an extra condition? W rite the SQL statement directly in. W hat if it's an offensive statement? 001; drop table user, delete the table directly


So in order to prevent SQL injection, you can use the .


If you don't have to use ${, be careful to prevent SQL injection problems, you can manually determine incoming variables, filter them, and generally SQL injections will enter a very long SQL statement