2. $the incoming data directly show the generated in SQL,
MyBatis enabled precompiled function, before the SQL execution, will be sending the above SQL database compiled; Execution time, using compiled SQL directly, replace placeholders "?" Is ok, because SQL injection can only work on compilation process, so this way is good to avoid the problem of SQL injection,
CodePudding user response:
$is parameters directly into the SQL statement, and # is parameters with double quotation marks into the SQL statement,# can prevent SQL injection,