关于毕设中使用hibernate的多条件模糊查询出现的还没有解决的bug的记录

来源：互联网发布：爱卿网络编辑：程序博客网时间：2024/06/10 07:41

毕设的项目中有这样的一个需求：

从GraduationSubject表中，根据所给的一些条件进行查询

其中departmentId必定存在，其他的可能存在，可能不存在

根据subjectName，teacherName，subjectOrientation条件进行模糊查询(like)

根据level，subjectType进行精确查询(=)

先前的代码如下:(不能防止sql注入攻击)

@Overridepublic List<GraduationSubject> findGraduationSubjectBySearchParam(String subjectName,String teacherName,String subjectOrientation,String level,String subjectType,Long departmentId) {Map<String,Object> params = new HashMap<String,Object>();StringBuffer query = new StringBuffer("Select Entity From GraduationSubject Entity where Entity.departmentId = :departmentId ");params.put("departmentId", departmentId);if(subjectName != "" && subjectName != null){query.append(" and Entity.subjectName like '%"+subjectName+"%'") ;}if(teacherName != "" && teacherName != null){query.append("and Entity.teacherName like '%"+teacherName+"%'");}if(subjectOrientation != "" && subjectOrientation != null){query.append("and Entity.subjectOrientation like '%"+subjectOrientation+"%'");}if(level != "" && level != null){query.append("and Entity.level = :level ");params.put("level", level);}if(subjectType != "" && subjectType != null){query.append("and Entity.subjectType = :subjectType ");params.put("subjectType", subjectType);}return this.list(GraduationSubject.class, query.toString(), params);}

sql注入的测试如下

@Testpublic void testQuery(){String subjectName = "测试";String teacherName = "测试";String subjectOrientation = "测试%' or 1 = 1 and teacherName like '%";String level = "简单";String subjectType = "毕业设计";System.out.println(this.graduationSubjectService.findGraduationSubjectBySearchParam(subjectName,teacherName,subjectOrientation,level,subjectType,1L).size());}

最后的代码，模糊查询使用的是Query.setParameter()方法,模糊查询处的sql片段拼写代码如下

@Overridepublic List<GraduationSubject> findGraduationSubjectBySearchParam(String subjectName,String teacherName,String subjectOrientation,String level,String subjectType,Long departmentId) {Map<String,Object> params = new HashMap<String,Object>();StringBuffer query = new StringBuffer("From GraduationSubject  where departmentId = :departmentId ");params.put("departmentId", departmentId);if(level != "" && level != null){query.append("and level = :level ");params.put("level", level);}if(subjectType != "" && subjectType != null){query.append("and subjectType = :subjectType ");params.put("subjectType", subjectType);}if(subjectName != "" && subjectName != null){query.append(" and subjectName like :subjectName") ;params.put("subjectName", "%"+subjectName+"%");}if(teacherName != "" && teacherName != null){query.append(" and teacherName like :teacherName ");params.put("teacherName", "%"+teacherName+"%");}if(subjectOrientation != "" && subjectOrientation != null){query.append(" and subjectOrientation like :subjectOrientation");params.put("subjectOrientation", "%"+subjectOrientation+"%");}return this.list(GraduationSubject.class, query.toString(), params);}

0 0