What are the differences between # {} and ${} in Mabatis 04/26 Update SLTechnology News&Howtos

What are the differences between # {} and ${} in Mabatis

2025-04-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/02 Report--

This article mainly introduces the differences between # {} and ${} in Mabatis. It is very detailed and has a certain reference value. Interested friends must read it!

Dynamic sql is one of the main features of mybatis. After the parameters defined in mapper are passed to xml, mybatis will dynamically parse them before query. Mybatis provides us with two syntax that support dynamic sql: # {} and ${}.

In the following statement, if the value of username is zhangsan, there is no difference between the two ways:

Select * from user where name = # {name}; select * from user where name = ${name}

After analysis, the results are all

Select * from user where name = 'zhangsan'

But # {} and ${} are treated differently in precompilation. # {} will the parameter part be preprocessed with a placeholder? Instead, change to the following sql statement:

Select * from user where name =?

While ${} is just a simple string substitution, during the dynamic parsing phase, the sql statement is parsed into

Select * from user where name = 'zhangsan'

Above, parameter substitution for # {} occurs in DBMS, while ${} occurs during dynamic parsing.

So, which way should we use in the process of use?

The answer is, give priority to # {}. Because ${} can cause problems with sql injection. Look at the following example:

Select * from ${tableName} where name = # {name}

In this example, if the table name is

User; delete user;--

Then the sql after dynamic resolution is as follows:

Select * from user; delete user;-where name =?

-- the statement after that is commented out, and the original query statement for users is changed into a statement for querying all user information and deleting user tables, which will cause significant damage to the database and most likely lead to server downtime.

However, when the table name is passed in as an argument, you can only use ${}. You can make your own guess and verify the specific reason. This also reminds us to be careful about the problem of sql injection in this usage.

The above is all the content of the article "what's the difference between # {} and ${} in Mabatis". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.