Home >Database >Mysql Tutorial >The difference between # and $

The difference between # and $

王林
王林Original
2019-10-25 17:15:0722660browse

The difference between # and $

The difference between them in the most direct terms is: # is equivalent to adding double quotes to the data, and $ is equivalent to displaying the data directly.

1, #treat the incoming parameters as strings, that is, it will be pre-compiled

select * from user where name = #{name}

For example, if I pass a csdn, then the passed parameters will be

select * from user where name = 'csdn'

2 , $ will not precompile the incoming value

select * from user where name=${name}

For example, if I wear a csdn, then the passed value will be

select * from user where name=csdn

3. The advantage of # is that it can be used to a great extent Prevent sql injection, but $ does not.

For example: the user performs a login operation, and the background sql verification style is:

select * from user where username=#{name} and password = #{pwd}

If the user name transmitted from the front desk is "wang" and the password is "1 or 1=1", use If you use the # method, there will be no sql injection. If you change to the $ method, the sql statement will become

select * from user where username=wang and password = 1 or 1=1

. In this case, sql injection will be formed.

4. When using order by dynamic parameters when sorting MyBatis, you need to pay attention to using $ instead of #.

Recommended tutorial: mysql tutorial

The above is the detailed content of The difference between # and $. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn