1,多个参数传递用map或实体封装后再传给myBatis,
mybatis学习$与#号取值区别
#{} 1.加了单引号, 2.#号写是可以防止sql注入,比较安全
select * from user where username=#{username} and password=#{password} 变成 ...where username=‘张三’ and password=‘123’
${} 2.没有加单引号 2.${}写法无法防止sql注入(模湖查询时用‘%${username}%’) 或用cancat ('%',${username},'%')
select * from user where username=${username} and password=${password} 变成 ...where username=张三 and password=123