Method 1: Use CONCAT (like concat)
like concat (parameter 1, parameter 2, parameter 3): used for fuzzy query, it is not recommended to use like directly, so use concat to connect
1. Parameter 1: The first one basically uses '%'
2. Parameter Two: The incoming parameter
3. Parameter three: The third basically uses '%' (corresponding to the first one)
<if test="blockPushLog.blockName!=null and blockPushLog.blockName!=''">
and b.BLOCK_NAME like CONCAT('%',#{blockPushLog.blockName},'%')
</if>
Method 2: Use bind fuzzy query (preferably recommended)
bind(parameter one, parameter two): used for fuzzy query
- Parameter 1: name: custom name, variable name, used to give the name behind like
- Parameter two: value: the parameter passed in
<if test="null != username and '' != username">
<bind name="username" value="'%'+username+'%'"/>
username like #{username}
</if>
<if test="null != nickname and '' != nickname">
<bind name="nickname" value="'%'+nickname+'%'"/>
and nickname like #{nickname}
</if>
<if test="null != address and '' != address">
<bind name="address" value="'%'+address+'%'"/>
and address like #{address}
</if>difference between the two
like concat :
(1). Use the concat function to connect strings. This function supports multiple parameters in mysql, but other databases do not necessarily support multiple parameters, so the compatibility is weak; (
2) because of direct use: ('%' + parameter + '%'), in the case of sql injection, you can also treat the sql statement you wrote as different parts, that is, the security is poor, and it is easy to be attacked bind: (recommended to use first) (
1
) All databases are common and compatible
(2) can prevent SQL injection (better than like concat), so the security is also strong
Note: The wording in the Oracle database is slightly different
like concat(concat('%',#{xxxxx},'%'))