bind + #{} 模糊查询 防止SQL注入 (#{}进行预编译,传递的参数不进行编译,只作为参数,相当于PreparedStatement)
bind 元素可以从 OGNL 表达式中创建一个变量并将其绑定到上下文。比如:
<select id="selectBlogsLike" resultType="Blog"> <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" /> SELECT * FROM BLOG WHERE title LIKE #{pattern} </select>
例如SQL:
<select id="getInfo" resultType="Info" parameterType="hashmap"> SELECT * FROM **表 <where> <if test="name != null"> <bind name="names" value="'%'+name+'%'" /> and bigname like #{names} </if> </where> </select>