<isNotNull prepend="and" property="userName" >
UserName like '%$userName$%'
</isNotNull>
上面那种写法会被SQL注入,对于MYSQL来说,一次只能执行一条语句,要注入将整表删除还不行.防注入要在写法上做下小改动,MYSQL写法如下:
<isNotNull prepend="and" property="userName" >
UserName like concat('%',#userName#,'%')
</isNotNull>
[color=darkred]oracle:[/color]
<isNotNull prepend="and" property="userName" >
UserName like '%'||#userName#||'%'
</isNotNull>
[color=darkred]SQLSERVER[/color]
<isNotNull prepend="and" property="userName" >
UserName like '%'+#userName#+'%
</isNotNull>
附加注入验证:[color=darkred]1231%' or '1%' = '1(查全部) %' delete from 表名-- '(删除表内容)[/color]