from : http://blog.csdn.net/doctor_who2004/article/details/43027181
What is the difference between #{...} and ${...}?
mybatis3中mapper文件中 #{...} 和 ${...}有什么不同.
MyBatis interprets #{...}
as a parameter marker in a JDBC prepared statement. MyBatis interprets ${...}
as
mybatis3对于#{...}是JDBC prepared statement参数的占位符标志,其值会有对应typehandler针对不同类型设值.
string substitution. It is important to know the difference because parameter markers cannot be used in certain places
而${...}在mybatis3中仅仅是字符串替换,这也是以前web编程sql注入发生的地发.
in SQL statements.
For example, you cannot use a parameter marker to specify a table name.
Given the following code:
MyBatis will generate the following prepared statement:
Important: note that use of ${...}
(string substitution) presents a risk for SQL injection attacks. Also, string substitution can be problematical for complex types like dates. For these reasons, we recommend using the #{...}
form whenever possible.