Talking about the difference between # and $in mybatis from the distribution of Indian forces


brief introduction

In the process of using mybatis, you may write SQL statements by yourself, and you need to pass in parameters to SQL statements.

But in mybatis, there are two kinds of syntax for parameter passing, # {name} and ${name}. What’s the difference between them? Let’s have a look.

for instance

Recently, India is more arrogant and frequently provokes border conflicts. Is India so confident?

Let’s take a look at India’s military distribution

Talking about the difference between # and $in mybatis from the distribution of Indian forces

In fact, the Indian army is still very strong, and it is the top military power in South Asia. He has the third largest active force in the world and the second largest army in the world.

India is the world’s largest arms importer. Of course, imports have advantages and disadvantages. The disadvantage is that India’s strength in arms research and development is not strong. Of course, India is one of the few countries in the world with nuclear weapons.

Query examples

Well, with India’s force distribution table, how can we write SQL statements in mybatis to query India’s force distribution by number?

  <select id="getIndiaTroopsById" resultType="com.flydean.IndiaTroop">
    select * from troops t
    where =#{id}

We usually write query SQL statements as above.

Above, we use # {ID} as the parameter passed. So what are the characteristics of # {ID}?

Characteristics of {ID}

First, # {ID} means that the passed ID is in string format. For example, if I pass id = 2, then the SQL statement will be parsed as:

select * from troops t where = '2'

Secondly, # {ID} will be precompiled, that is to say, the above SQL statement will be dynamically parsed into a parameter marker?:

select * from troops t where = ?

Then the parameters are replaced. What are the benefits of precompiling?

The advantage of precompiling is that it prevents SQL injection.

Characteristics of ${ID}

First of all, ${ID} is not precompiled and is replaced with whatever is passed in. So there is a risk of SQL injection.

Again, if we use ${ID}:

  <select id="getIndiaTroopsById" resultType="com.flydean.IndiaTroop">
    select * from troops t
    where =${id}

If we pass in parameter 2, the corresponding SQL statement is:

select * from troops t where = 2

Second, ${ID} is compiled after the value is taken, which cannot prevent SQL injection.


Let’s summarize the different usage scenarios of these two parameters

${ID} is generally used to pass in database objects, such as table names.

Don’t use $when you can.

Author: what about the flydean program

Link to this article:

Source: flydean’s blog

Welcome to my official account: the procedures, the more wonderful things waiting for you!

Recommended Today

Custom component (original) – combined ccombine

IView icon is used in this component, which can be freely used in the project with global installation of iView or the page with local introduction of icon. catalog Effect display Function description Structure code Logic code Component application event hook github Effect display From left to right: unselected status, mouse hover, selected, add combination […]