Home  >  Article  >  What is the difference between # and $ in mybatis

What is the difference between # and $ in mybatis

青灯夜游
青灯夜游Original
2019-04-03 15:15:5954938browse

The main difference between # and $ in mybatis is: #The incoming parameters are displayed as strings in SQL, #This method can largely prevent sql injection; $The incoming parameters are directly displayed as incoming in SqL value, the $ method cannot prevent Sql injection.

What is the difference between # and $ in mybatis

MyBatis is an excellent persistence layer framework that supports customized SQL, stored procedures and advanced mapping. MyBatis avoids almost all JDBC code and manual setting of parameters and retrieval of result sets. MyBatis can use simple XML or annotations to configure and map native information, mapping interfaces and Java POJOs (Plain Ordinary Java Object, ordinary Java objects) into records in the database.

Dynamic sql is one of the main features of mybatis. After the parameters defined in the mapper are passed to xml, mybatis will dynamically parse them before querying. Mybatis provides us with two syntaxes that support dynamic sql: #{} and ${}; both dynamically pass the required parameters into the sql statement.

What is the difference between # and $ in mybatis

1. The parameters passed in are displayed differently in SQL

#The passed-in parameters are displayed as strings in SQL (as a string), and double quotes will be added to the automatically passed-in data.

Example: Use the following SQL

select id,name,age from student where id =#{id}

When the parameter id we pass is "1", the above sql is parsed as:

select id,name,age from student where id ="1"

$The incoming parameters are in SqL The passed-in value is directly displayed in

Example: Use the following SQL

select id,name,age from student where id =${id}

When the parameter id we pass is "1", the parsing of the above sql is:

select id,name,age from student where id =1

2, # can prevent the risk of SQL injection (statement splicing); but $ cannot prevent Sql injection.

3. The $ method is generally used to pass in database objects, such as table names.

4. In most cases, # is often used. Generally, if # can be used, don’t use $; but in some cases, $ must be used. For example: When using order by dynamic parameters when sorting MyBatis, you need to pay attention. $ instead of #.

The above is the entire content of this article, I hope it will be helpful to everyone's study. For more exciting content, you can pay attention to the relevant tutorial columns of the PHP Chinese website! ! !

The above is the detailed content of What is the difference between # and $ in mybatis. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:How to set up dns?Next article:How to set up dns?