Home >Database >Mysql Tutorial >The difference between # and $
The difference between # and $
- 王林Original
- 2019-10-25 17:15:0722660browse
The difference between them in the most direct terms is: # is equivalent to adding double quotes to the data, and $ is equivalent to displaying the data directly.
1, #treat the incoming parameters as strings, that is, it will be pre-compiled
select * from user where name = #{name}For example, if I pass a csdn, then the passed parameters will be
select * from user where name = 'csdn'
2 , $ will not precompile the incoming value
select * from user where name=${name}For example, if I wear a csdn, then the passed value will be
select * from user where name=csdn
3. The advantage of # is that it can be used to a great extent Prevent sql injection, but $ does not.
For example: the user performs a login operation, and the background sql verification style is:
select * from user where username=#{name} and password = #{pwd}If the user name transmitted from the front desk is "wang" and the password is "1 or 1=1", use If you use the # method, there will be no sql injection. If you change to the $ method, the sql statement will become
select * from user where username=wang and password = 1 or 1=1
. In this case, sql injection will be formed.
4. When using order by dynamic parameters when sorting MyBatis, you need to pay attention to using $ instead of #.
Recommended tutorial: mysql tutorial
The above is the detailed content of The difference between # and $. For more information, please follow other related articles on the PHP Chinese website!