模糊查询 like CONCAT 这样写可以防止SQL注入,而like缺不能防止sql注入。
具体用法:like CONCAT('%',#{param.userName},'%')
<select id="findWxUserByOrgId" resultMap="WxUserVoMap">
select
<include refid="Base_Column_List"/>
from wx_user t
.......
<%-此处省略相关代码-%>
<if test="param.userNamePhone!=null and param.userNamePhone.trim()!=''">
AND (t.user_name like CONCAT('%',#{param.userNamePhone},'%') OR t.phone like CONCAT('%',#{param.userNamePhone},'%'))
</if>
<if test="param.userName !=null and param.userName.trim()!=''">
AND t.user_name like CONCAT('%',#{param.userName},'%')
</if>
order by convert_to(SUBSTR(t.full_name,1,1),'GBK')
</select>
convert中文排序
在mysql数据库中可以使用GBK编码对中文进行排序,如名字按首字母排序
order by convert(substr(tu.username,1,1) using 'GBK')
其中substr方法截取第一个字母也就是姓氏,然后转成GBK编码进行排序
order by convert_to(SUBSTR(t.full_name,1,1),'GBK')