diff --git a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
index a11ee5195a..e98d503b7d 100644
--- a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
+++ b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
@@ -42,8 +42,8 @@
     SELECT a.*, b.dept_name AS parent_name
     FROM sys_department a LEFT JOIN sys_department b ON a.parent_code=b.dept_code
     WHERE 1=1
-    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like '%${deptCode}%' </if>
-    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like '%${deptName}%' </if>
+    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like concat('%', #{deptCode}, '%')</if>
+    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like concat('%', #{deptName}, '%')</if>
     ORDER BY a.sort_order
   </select>
 
diff --git a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
index 731bb700b3..55150e720c 100644
--- a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
+++ b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
@@ -31,8 +31,8 @@
   <select id="selectAll" resultMap="resultMap">
     SELECT * FROM sys_dict_item WHERE 1 = 1
     <if test="dictCode!=null and dictCode!=''"> AND `dict_code` = #{dictCode}</if>
-    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like '%${itemCode}%'</if>
-    <if test="itemName!=null and itemName!=''"> AND `item_name` like '%${itemName}%'</if>
+    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like concat('%', #{itemCode}, '%')</if>
+    <if test="itemName!=null and itemName!=''"> AND `item_name` like concat('%', #{itemName}, '%')</if>
     ORDER BY sort_order
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictItemEntity" extends="BaseEntityResultMap">
diff --git a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
index 55db3a9b09..69e5de1b4e 100644
--- a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
+++ b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
@@ -31,8 +31,8 @@
   <select id="selectAll" parameterType="java.util.Map" resultMap="resultMap">
     SELECT * FROM sys_dict
     WHERE 1=1
-    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like '%${dictCode}%'</if>
-    <if test="dictName!=null and dictName!=''">AND `dict_name` like '%${dictName}%'</if>
+    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like concat('%', #{dictCode}, '%')</if>
+    <if test="dictName!=null and dictName!=''">AND `dict_name` like concat('%', #{dictName}, '%')</if>
     ORDER BY id
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictEntity" extends="BaseEntityResultMap">
diff --git a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
index 49c4e9ec79..c24ad71e61 100644
--- a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
+++ b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
@@ -39,8 +39,8 @@
     SELECT a.*, b.dept_name FROM sys_user a LEFT JOIN sys_department b ON a.dept_code = b.dept_code
     WHERE 1 = 1
     <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` = #{deptCode}</if>
-    <if test="userName!=null and userName!=''"> AND a.`user_name` like '%${userName}%'</if>
-    <if test="email!=null and email!=''"> AND a.`email` like '%${email}%'</if>
+    <if test="userName!=null and userName!=''"> AND a.`user_name` like concat('%', #{userName}, '%')</if>
+    <if test="email!=null and email!=''"> AND a.`email` like concat('%', #{email}, '%')</if>
     ORDER BY a.create_time
   </select>
 
diff --git a/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java b/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
index bbeb4aceb0..f3fbc12963 100644
--- a/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
+++ b/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
@@ -78,6 +78,19 @@ public void addUserTest() throws Exception {
             10);
     LOG.debug("userList.size():{}", userList.size());
     assertEquals(userList.size(), 1);
+
+    // Avoid sql injection.
+    // Issue: https://issues.apache.org/jira/browse/SUBMARINE-1361
+    List<SysUserEntity> sqlInjectTestList = userService.queryPageList(
+            String.format("%s' or 1=1 or 1='", sysUser.getUserName()),
+            null,
+            null,
+            null,
+            null,
+            0,
+            10);
+    assertEquals("SQL Injection Vulnerability Detected!", sqlInjectTestList.size(), 0);
+
     SysUserEntity user = userList.get(0);
 
     assertEquals(sysUser.getEmail(), user.getEmail());