(1) 區(qū)別：
  首先清楚一點(diǎn)，動(dòng)態(tài) SQL 是 mybatis 的強(qiáng)大特性之一，在 mapper 中定義的參數(shù)傳到 xml 中之后，在查詢之前 mybatis 會(huì)對(duì)其進(jìn)行動(dòng)態(tài)解析，#{} 和 ${} 在預(yù)編譯中的處理是不一樣的：
  例如：select * from t_user where userName = #{name};
  #{}預(yù)編譯：用一個(gè)占位符 ? 代替參數(shù):select * from t_user where userName = ?
  #{}預(yù)編譯：會(huì)將參數(shù)值一起進(jìn)行編譯：select * from t_user where userName = 'zhangsan'
(2) 使用場(chǎng)景：
  一般情況首選#{}，因?yàn)檫@樣能避免sql注入；如果需要傳參 動(dòng)態(tài)表名、動(dòng)態(tài)字段名時(shí)，需要使用${}
  比如：select * from ${tableName} where id > #{id};
(3) SQL注入問題：
  舉個(gè)例子，如果使用${}出現(xiàn)的注入問題：
  select * from ${tableName};
  如果傳參 t_user;delete from t_user，則預(yù)編譯后的sql如下，將會(huì)導(dǎo)致系統(tǒng)不可用：
  select * from t_user;delete from t_user;
(4) like 語句防注入：
  使用concat函數(shù)：
  select * from t_user where name like concat('%', #{name}, '%')

非注解：
(1)單參數(shù)：
public User getUserByUuid(String uuid); 
<select id="getUserByUuid" resultMap="BaseResultMap" parameterType="Object">
  SELECT * FROM   t_user  WHERE uuid = #{uuid}
</select>
(2)多參數(shù)
public User getUserByNameAndPass(String name,String pass); 
<select id="getUserByNameAndPass" resultMap="BaseResultMap" parameterType="Object">
  SELECT * FROM t_user  WHERE t_name = #{0} and t_pass = #{1}
</select>
(3)Map參數(shù)
public User getUserByMap(Map<String,Object> map);
<select id="getUserByMap" resultMap="BaseResultMap" parameterType="java.util.Map">
  SELECT * FROM t_user  WHERE t_name = #{name} and t_pass = #{pass}
</select>
(4)實(shí)體對(duì)象參數(shù)
public int updateUser(User user);  
<select id="updateUser" resultMap="BaseResultMap" parameterType="Object">
  update t_user set t_name = #{name}, t_pass = #{pass} where uuid=#{uuid}
</select>
(4)List集合參數(shù)
public int batchDelUser(List<String> uuidList);
<delete id="batchDelUser" parameterType="java.util.List">
  DELETE FROM t_user WHERE uuid IN
  <foreach collection="list" index="index" item="uuid" open="(" separator="," close=")">
       #{uuid}
   </foreach>
</delete>
注解：
public List<User> getUserByTime(@Param("startTime")String startTime, @Param("endTime")String endTime);
<select id="getUserByTime" resultMap="BaseResultMap" parameterType="Object">
  SELECT * from t_user where createTime &gt;= #{startTime} and createTime &lt;= #{endTime}
</select>

//JAVA 代碼
public List<Group> getUserRoleRelByUserUuid(@Param("groupUuid") String userUuid,@Param("roleList")List<String> roleUuidList);
//SQL
SELECT * from user_role where groupUuid=#{groupUuid}
   <choose>
    <when test="roleList!=null&amp;&amp;roleList.size()&gt;0">
      AND roleUuid IN
      <foreach collection="roleList" index="index" item="roleUuid" open="(" separator="," close=")">
        #{roleUuid}
      </foreach>
    </when>
    <otherwise>
      AND roleUuid IN ('')
    </otherwise>
   </choose>

//JAVA 代碼
public int getOrderCountByParams(Map<String, Object> params);
//SQL
<select id="getOrderCountByParams" resultType="java.lang.Integer" parameterType="Object">
  SELECT count(*) FROM itil_publish_order where 1=1
     <if test="timeType == '1'.toString()" >
            AND create_time &gt;= #{timeStr}
       </if>
       <if test="timeType == '2'.toString()" >
            AND end_time &lt;= #{timeStr}
       </if>
 </select>
或者
<if test = 'timeType== "1"'> </if>

<select id="getMaxSerialCode" resultType="java.lang.String" parameterType="Object">
        SELECT count(*) FROM
       itil_publish_order
        WHERE serial_code LIKE CONCAT('%',#{codeStr},'%')
        ORDER BY serial_code DESC LIMIT 1
</select>

//JAVA代碼
public List<PublishOrder> getOrderCount(@Param("startTime") String startTime,@Param("startTime")List<String> startTime);
//SQL
<select id="getOrderCount" resultType="java.lang.String" parameterType="Object">
        SELECT * FROM itil_publish_order
        WHERE createTime &gt;= #{startTime} and &lt;= #{startTime}
</select>