mysql中#和$

1、# 原样输出

select * from table where name = #{param} 
则解析成的sql为： 
select * from table where name = “id” 
为了安全，能用#的地方就用#方式传参，这样可以有效的防止sql注入攻击

 

2、$可能会sql注入

 

sql注入简介

某个网站的登录验证的SQL查询代码为：

strSQL = “SELECT * FROM users WHERE (name = ‘” + userName + “’) and (pw = ‘”+ passWord +”’);”

恶意填入

userName = “1’ OR ‘1’=’1”;

与passWord = “1’ OR ‘1’=’1”;

时，将导致原本的SQL字符串被填为

SQL = “SELECT * FROM users WHERE (name = ‘1’ OR ‘1’=’1’) and (pw = ‘1’ OR ‘1’=’1’);”

也就是实际上运行的SQL命令会变成下面这样的

SQL = “SELECT * FROM users;”