ibatis的模糊查询 like

 <isNotNull prepend="and" property="userName" >
        UserName like '%$userName$%'
 </isNotNull>

上面那种写法会被SQL注入,对于MYSQL来说,一次只能执行一条语句，要注入将整表删除还不行.防注入要在写法上做下小改动,MYSQL写法如下:

 <isNotNull prepend="and" property="userName" >
        UserName like concat('%',#userName#,'%')  
 </isNotNull>

oracle:

 <isNotNull prepend="and" property="userName" >
        UserName like '%'||#userName#||'%'   
 </isNotNull>

SQLSERVER

 <isNotNull prepend="and" property="userName" >
        UserName like '%'+#userName#+'%  
 </isNotNull>

附加注入验证: 1231%' or '1%' = '1(查全部) %' delete from 表名-- '(删除表内容)