<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <!-- namespace表示命名空间 保证它是唯一 cn.itsource.mybatis.dao.impl.ProductDaoImpl + id="getUserById"--> <mapper namespace="_02_highquery.EmployeeMapper"> <!-- id名称和ProductMapper接口方法一样--> <select id="query" resultType="_02_highquery.Employee" parameterType="_02_highquery.EmployeeQuery"> select * from employee <where> <include refid="whereSql"></include> </where> </select> <!--抽取sql通过include refid="whereSql"引用--> <sql id="whereSql"> <if test="keywords != null"> <!-- /* and name like %${keywords}% or password like %${keywords}%*/ --> <!-- (1)不行--> <!-- and name like %#{keywords}% or password like %#{keywords}% --> <!-- (2)可以使用 拼接字符串 存在sql注入--> <!-- and name like '%${keywords}%' or password like '%${keywords}%' --> <!-- (3) concat函数--> and name like concat("%",#{keywords},"%") </if> <if test="minAge != null"> and age >= #{minAge} </if> <!-- 转义1)--> <!--<if test="maxAge != null"> and age <= #{maxAge} </if>--> <!-- 写法(2)CDATA XML--> <if test="maxAge != null"> <![CDATA[ and age <= #{maxAge} ]]> </if> </sql> </mapper>