1、select * from user where username = #{name}
等价于
PreparedStatement ps = conn.prepareStatement("select * from user where username = ?");
ps.setObject(1, name);
ResultSet rs = ps.executeQuery();
相当于占位符替换,可以防止SQL注入
2、select * from user where username = ${name}
等价于
String sql = "select * from user where username = " + name;
Statement statement = conn.createStatement();
ResultSet resultSet = statement.executeQuery(sql);
相当于字符串拼接,不能防止SQL注入