The difference between ${param} and #{param} in MySQL

The parameter passed by ${param} will be treated as part of the SQL statement, such as passing the table name and field name

Example: (the value passed is id)

order by ${param}

The parsed SQL is:

order by id

#{parm} The data passed in is treated as a string, and double quotes are added to the automatically passed in data

Example: (the value passed is id)

select * from table where name = #{param}

The parsed SQL is:

select * from table where name = "id"

For security reasons, use # to pass parameters wherever possible, which can effectively prevent SQL injection attacks.

Introduction to SQL injection

I went directly to Baidu's example and it felt clear at a glance.

The SQL query code for login verification of a certain website is:

strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord + "');"

Malicious entry
When userName = "1' OR '1'='1";與passWord = "1' OR '1'='1"; the original SQL string will be filled in as
strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1'); "
That is, the SQL command actually executed will become the following strSQL = "SELECT * FROM users; "

This cleverly bypasses the verification during background account authentication, allowing users to log in to the website without an account or password. Therefore, SQL injection attacks are commonly known as hackers' fill-in-the-blank game.

This is the end of this article about the difference between ${param} and #{param} in MySQL. For more information about the difference between ${param} and #{param} in MySQL, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!