ibatis sqlmap中已经对#param#参数作了防注入处理,但没有对$param$作处理,将like后面的参数作如下修改即可防止注入:
mysql: select * from test where name like concat('%',#name#,'%')
oracle: select * from test where name like '%'||#name#||'%'
SQL Server:select * from test where name like '%'+#name #+'%