The difference between ${param} and #{param} in MySQL

The difference between ${param} and #{param} in MySQL

The parameter passed by ${param} will be treated as part of the SQL statement, such as passing the table name and field name

Example: (the value passed is id)

order by ${param}

The parsed SQL is:

order by id

#{parm} The data passed in is treated as a string, and double quotes are added to the automatically passed in data

Example: (the value passed is id)

select * from table where name = #{param}

The parsed SQL is:

select * from table where name = "id"

For security reasons, use # to pass parameters wherever possible, which can effectively prevent SQL injection attacks.

Introduction to SQL injection

I went directly to Baidu's example and it felt clear at a glance.

The SQL query code for login verification of a certain website is:

strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord + "');"

Malicious entry
When userName = "1' OR '1'='1";與passWord = "1' OR '1'='1"; the original SQL string will be filled in as
strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1'); "
That is, the SQL command actually executed will become the following strSQL = "SELECT * FROM users; "

This cleverly bypasses the verification during background account authentication, allowing users to log in to the website without an account or password. Therefore, SQL injection attacks are commonly known as hackers' fill-in-the-blank game.

This is the end of this article about the difference between ${param} and #{param} in MySQL. For more information about the difference between ${param} and #{param} in MySQL, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • The difference between ## and $$ in dynamic SQL under Mybatis
  • A brief discussion on the difference between # and $ in mybatis and how to prevent sql injection

<<:  Solve the problem of black screen when starting VMware virtual machine

>>:  An article to help you thoroughly understand position calculation in js

Recommend

Use render function to encapsulate highly scalable components

need: In background management, there are often d...

Tutorial on installing MySQL with Docker and implementing remote connection

Pull the image docker pull mysql View the complet...

Troubleshooting MySQL high CPU load issues

High CPU load caused by MySQL This afternoon, I d...

A simple explanation of MySQL parallel replication

1. Background of Parallel Replication First of al...

An example of installing MySQL on Linux and configuring external network access

Configuration steps 1. Check whether DNS is confi...

Summary of various implementation methods of mysql database backup

This article describes various ways to implement ...

Detailed explanation of several methods of installing software in Linux

1. RPM package installation steps: 1. Find the co...

Linux installation Redis implementation process and error solution

I installed redis today and some errors occurred ...

Detailed steps to install the NERDTree plugin in Vim on Ubuntu

NERDTree is a file system browser for Vim. With t...

Comparative Analysis of UI Applications of Image Social Networking Sites (Figure)

In our life, work and study, social networks have ...

Vue implements file upload and download functions

This article example shares the specific code of ...

How to query or obtain images in a private registry

Docker queries or obtains images in a private reg...