在《ibatis in action》一书里明确提到了使用iBatis like查询的时候,用下面这种写法会有注入漏洞
select * from t_user where username like '%$name$%'
所以正规的安全写法(参照网上搜集的)
MySql: select * from t_user where username like concat('%',#name#,'%')
Oracle: select * from t_user where username like '%'||#name#||'%'
SQL Server: select * from t_user where username like '%'+#name#+'%'