1. #Treat the incoming data as a string, and add double quotes to the automatically incoming data. For example: order by #user_id#, if the value passed in is 111, then the value when parsed into sql is order by "111". If the value passed in is id, the parsed sql is order by "id".
2. $Display the incoming data directly and generate it in sql. For example: order by $user_id$, if the value passed in is 111, then the value when parsed into sql is order by user_id. If the value passed in is id, the parsed sql is order by id.
3. #This method can prevent sql injection to a great extent.
4.$ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as table names.
6. If you can generally use #, don’t use $.
MyBatis sorting When using order by dynamic parameters, you need to pay attention to replacing
with $ instead of
# string. By default, using the #{} format syntax will cause MyBatis to create prepared statement properties and Set a safe value (such as ?) against it. This is safe, fast and preferred, sometimes you just want to insert an unchanged string directly into the SQL statement. For example, like ORDER BY, you can use it like this: ORDER BY ${columnName}
MyBatis will not modify or escape the string here.
Important: It is not safe to accept output from the user and provide it with an immutable string in the statement. This leads to potential SQL injection attacks, so you should not allow users to enter these fields, or generally escape and check them yourself.
The above is the entire content of the editor’s brief discussion on the difference between # and $ in mybatis. I hope everyone will support the PHP Chinese website~
More brief discussion on the difference between # and $ in mybatis For related articles on the difference between # and $, please pay attention to the PHP Chinese website!