- --all 用$不能防sql注入
- select * from user where name like '%${name}%'
- --mysql,oracle (db2的concat函数只支持2个参数)
- select * from user where name like concat('%',#{name},'%')
- --oracle,db2
- select * from user where name like '%'||#{name}||'%'
- --SQL Server
- select * from user where name like '%'+#{name}+'%'
- --据说这种是预编译,有空测下
- select * from user where name like "%"#{name}"%"
转自:http://happyqing.iteye.com/blog/2172397