预编译方式,即PreparedStatement,可以防注入:#{id}
<select id="getBlogById" resultType="Blog"parameterType=”int”>
select id,title,author,content from blog where id=#{id}
</select>
字符串拼接方式,容易产生注入:${id}
<select id="getBlogById" resultType="Blog"parameterType=”int”>
select id,title,author,content from blog where id=${id}
</select>
原文:http://www.cnblogs.com/SEC-fsq/p/5290681.html