@Select@SelectProvider防sql注入in方法
2020-07-14 本文已影响0人
_abab
mybatis-3.4.5版本
1、@Select
@Select({
"<script>",
"select ",
"mysection ",
"from test_my_table ",
"where myNo in ",
"<foreach collection='userDefParamName' item='yourselfItem' open='(' separator=',' close=')'>",
"#{yourselfItem}",
"</foreach>",
"</script>"
})
String getMysection (@Param("userDefParamName")List whateverName);
2、@SelectProvider
@SelectProvider(type = AAA.class,method ="getMysection")
String getMysection (@Param("userDefParamName")List whateverName);
用<foreach>方式报错,有说版本低导致,使用3.5.1以上版本,可自行验证。下面介绍此版本解决方法:
public String getMysection (@Param("userDefParamName")List whateverName){
StringBuffer sql =new StringBuffer();
sql.append("select mysection from test_my_table ");
sql.append(" where myNo IN ");
if(userDefParamName.size()>0) {
sql.append("(");
for (int i =0; i < userDefParamName.size(); i++) {
if(i>0){
sql.append(",");
}
sql.append("#{userDefParamName[");
sql.append(i);
sql.append("]}");
}
sql.append(")");
}
return sql.toString() ;
}
