香港VPS的mybatis模糊查询如何防止sql注入

已关闭留言

香港VPS的mybatis模糊查询防止sql注入的方法:

bind + #{}模糊查询可以防止SQL注入,bind元素可以从OGNL表达式中创建一个变量并将其绑定到上下文,例如:

<select id=”selectBlogsLike” resultType=”Blog”>

<bind name=”pattern” value=”‘%’ + _parameter.getTitle() + ‘%'” />

SELECT * FROM BLOG

WHERE title LIKE #{pattern}

</select>

sql

<select id=”getInfo” resultType=”cn.xm.exam.bean.haul.Haulinfo”

parameterType=”hashmap”>

SELECT * FROM haulinfo

<where>

<if test=”name != null”>

<bind name=”names” value=”‘%’+name+’%'” />

and bigname like #{names}

</if>

<if test=”status != null”>

and bigStatus = #{status}

</if>

</where>

</select>

java测试方法:

@Test

public void test1() throws SQLException {

Map condition = new HashMap();

condition.put(“name”, “%’ and bigdescription like ‘阳城“);

condition.put(“status”, “未开始“);

testMapper.getInfo(condition);

}