The difference between # and $

The difference between them in the most direct terms is: # is equivalent to adding double quotes to the data, and $ is equivalent to displaying the data directly.

1, #treat the incoming parameters as strings, that is, it will be pre-compiled

select * from user where name = #{name}

For example, if I pass a csdn, then the passed parameters will be

select * from user where name = 'csdn'

2 , $ will not precompile the incoming value

select * from user where name=${name}

For example, if I wear a csdn, then the passed value will be

select * from user where name=csdn

3. The advantage of # is that it can be used to a great extent Prevent sql injection, but $ does not.

For example: the user performs a login operation, and the background sql verification style is:

select * from user where username=#{name} and password = #{pwd}

If the user name transmitted from the front desk is "wang" and the password is "1 or 1=1", use If you use the # method, there will be no sql injection. If you change to the $ method, the sql statement will become

select * from user where username=wang and password = 1 or 1=1

. In this case, sql injection will be formed.

4. When using order by dynamic parameters when sorting MyBatis, you need to pay attention to using $ instead of #.

Recommended tutorial:mysql tutorial

The above is the detailed content of The difference between # and $. For more information, please follow other related articles on the PHP Chinese website!