利用<bind>标签来防止模糊查询的时候sql注入
<select id="......" parameterType="......" resultType="......"> select * from user where state=1 <if test="name != null"> <bind name="content" value="\'%\' + name + \'%\'" /> and name like #{content} </if> <if test="questionType != null"> and type = #{type} </if> order by create_time desc </select>