1. # Treat all the incoming data as a string, and add double quotes to the automatically incoming data. For example: order by #user_id#, if the value passed in is 111, then the value when parsing into sql is order by "111". If the value passed in is id, the parsed into sql is order by "id".
2. $Displays the passed data directly and generates it in SQL. For example: order by $user_id$, if the value passed in is 111, then the value when parsed into sql is order by user_id. If the value passed in is id, the parsed into sql is order by id.
3. The # method can greatly prevent SQL injection.
4. The $ method cannot prevent Sql injection.
5. The $ method is generally used to pass in database objects, such as passing in table names.
6. Generally, if you can use #, don’t use $.
When using order by dynamic parameters when sorting MyBatis, you need to pay attention to using $ instead of #
String replacement
By default, using the #{} format syntax causes MyBatis to create a preprocessed statement property and set a safe value with it as the background (such as?). This is safe and quick, and sometimes you just want to insert a string that doesn't change directly into the SQL statement. For example, like ORDER BY, you can use it like this: ORDER BY ${columnName}
Here MyBatis will not modify or escape strings.
Important: It is not safe to accept content output from the user and provide it to an unchanged string in the statement. This can lead to potential SQL injection attacks, so you should not allow users to enter these fields, or usually escape and check them yourself.
The above is the brief discussion on the difference between # and $ in mybatis. I hope everyone can support Wulin.com~