预编译方式,即PreparedStatement,可以防注入:#{id}
<select id="getBlogById" resultType="Blog"parameterType=”int”>
select id,title,author,content from blog where id=#{id}
</select>
字符串拼接方式,容易产生注入:${id}
<select id="getBlogById" resultType="Blog"parameterType=”int”>
select id,title,author,content from blog where id=${id}
</select>