The difference between ${param} and #{param} in MySQL

The difference between ${param} and #{param} in MySQL

The parameter passed by ${param} will be treated as part of the SQL statement, such as passing the table name and field name

Example: (the value passed is id)

order by ${param}

The parsed SQL is:

order by id

#{parm} The data passed in is treated as a string, and double quotes are added to the automatically passed in data

Example: (the value passed is id)

select * from table where name = #{param}

The parsed SQL is:

select * from table where name = "id"

For security reasons, use # to pass parameters wherever possible, which can effectively prevent SQL injection attacks.

Introduction to SQL injection

I went directly to Baidu's example and it felt clear at a glance.

The SQL query code for login verification of a certain website is:

strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord + "');"

Malicious entry
When userName = "1' OR '1'='1";與passWord = "1' OR '1'='1"; the original SQL string will be filled in as
strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1'); "
That is, the SQL command actually executed will become the following strSQL = "SELECT * FROM users; "

This cleverly bypasses the verification during background account authentication, allowing users to log in to the website without an account or password. Therefore, SQL injection attacks are commonly known as hackers' fill-in-the-blank game.

This is the end of this article about the difference between ${param} and #{param} in MySQL. For more information about the difference between ${param} and #{param} in MySQL, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • The difference between ## and $$ in dynamic SQL under Mybatis
  • A brief discussion on the difference between # and $ in mybatis and how to prevent sql injection

<<:  Solve the problem of black screen when starting VMware virtual machine

>>:  An article to help you thoroughly understand position calculation in js

Recommend

Tomcat configuration and how to start it in Eclipse

Table of contents How to install and configure To...

HTML code that can make IE freeze

We simply need to open any text editor, copy the f...

Bootstrap 3.0 study notes CSS related supplement

The main contents of this article are as follows:...

Win10 configuration tomcat environment variables tutorial diagram

Before configuration, we need to do the following...

CSS Sticky Footer Several Implementations

What is "Sticky Footer" The so-called &...

How to completely uninstall mysql under CentOS

This article records the complete uninstallation ...

Detailed explanation of MYSQL database table structure optimization method

This article uses an example to illustrate the me...

How to let DOSBox automatically execute commands after startup

Using DOSBox, you can simulate DOS under Windows ...

How to set MySQL foreign keys for beginners

Table of contents The role of foreign keys mysql ...

Docker uses Supervisor to manage process operations

A Docker container starts a single process when i...

How to open external network access rights for mysql

As shown below: Mainly execute authorization comm...

Detailed explanation of keepAlive usage in Vue front-end development

Table of contents Preface keep-avlive hook functi...

...