May 16, 2021 MyBatis
#{} Is Precompiled Processing, Like The Data Passed In Will Be Added A "" The incoming data is used as a string, Will Automatical Pass in the data with a double quote
${} is string replacement. R eplace placeholders directly. The $method is typically used for incoming database objects, such as incoming table names.
Using $'s results in sql injection. W hat is SQL Injection? For example, select s from user where id s $'value'
Value should be a value. A nd then if the other person is passing over is 001 and name s tom. D oesn't that mean an extra condition? W rite the SQL statement directly in. W hat if it's an offensive statement? 001; drop table user, delete the table directly
So in order to prevent SQL injection, you can use the .
If you don't have to use ${, be careful to prevent SQL injection problems, you can manually determine incoming variables, filter them, and generally SQL injections will enter a very long SQL statement