#{}为sql预编译,编译时参数部分形成占位符?,并且#{}变量会自动加上单引号’’
${}为sql拼接,编译时参数部分不会加上单引号’’,需要时必须自己加上单引号’’。
以下传进来的userName=123,USER=USER,name=name
用#{}如:
<select id="getUserByName" resultType="com.model.User">
select * from USER where userName=#{userName};
</select>
结果:
编译后:
select * from USER where userName=?;
==> Parameters: mww(String)<== Total: 1
用#{}如:
<select id="getUserByName" resultType="com.model.User">
select * from USER where userName=${userName};
</select>
结果:
编译后:
select * from USER where userName=mww;
==> Parameters: 123(String)
这里sql语句会报错
正确写法:应该加上单引号,,因为userName是String类型,如果是int类型,就可以不加单引号
select * from USER where userName='${userName}';
编译后:
select * from USER where userName='mww';
用法:
1.不管单参数,还是多参数,尽量用#{}
2.参数用在字段时,用#{},如select * from USER where userName=#{userName};
3.参数用在表名,筛选条件时,用${}----也就是sql语句参数不用单引号的地方,如select ${userName} from ${USER}
4.${}会被sql注入,因为是字符串拼接的,会被传入不正当的字符串去判断