关于毕设中使用hibernate的多条件模糊查询出现的还没有解决的bug的记录
来源:互联网 发布:爱卿网络 编辑:程序博客网 时间:2024/06/10 07:41
毕设的项目中有这样的一个需求:
从GraduationSubject表中,根据所给的一些条件进行查询
其中departmentId必定存在,其他的可能存在,可能不存在
根据subjectName,teacherName,subjectOrientation条件进行模糊查询(like)
根据level,subjectType进行精确查询(=)
先前的代码如下:(不能防止sql注入攻击)
@Overridepublic List<GraduationSubject> findGraduationSubjectBySearchParam(String subjectName,String teacherName,String subjectOrientation,String level,String subjectType,Long departmentId) {Map<String,Object> params = new HashMap<String,Object>();StringBuffer query = new StringBuffer("Select Entity From GraduationSubject Entity where Entity.departmentId = :departmentId ");params.put("departmentId", departmentId);if(subjectName != "" && subjectName != null){query.append(" and Entity.subjectName like '%"+subjectName+"%'") ;}if(teacherName != "" && teacherName != null){query.append("and Entity.teacherName like '%"+teacherName+"%'");}if(subjectOrientation != "" && subjectOrientation != null){query.append("and Entity.subjectOrientation like '%"+subjectOrientation+"%'");}if(level != "" && level != null){query.append("and Entity.level = :level ");params.put("level", level);}if(subjectType != "" && subjectType != null){query.append("and Entity.subjectType = :subjectType ");params.put("subjectType", subjectType);}return this.list(GraduationSubject.class, query.toString(), params);}
sql注入的测试如下
@Testpublic void testQuery(){String subjectName = "测试";String teacherName = "测试";String subjectOrientation = "测试%' or 1 = 1 and teacherName like '%";String level = "简单";String subjectType = "毕业设计";System.out.println(this.graduationSubjectService.findGraduationSubjectBySearchParam(subjectName,teacherName,subjectOrientation,level,subjectType,1L).size());}
最后的代码,模糊查询使用的是Query.setParameter()方法,模糊查询处的sql片段拼写代码如下
@Overridepublic List<GraduationSubject> findGraduationSubjectBySearchParam(String subjectName,String teacherName,String subjectOrientation,String level,String subjectType,Long departmentId) {Map<String,Object> params = new HashMap<String,Object>();StringBuffer query = new StringBuffer("From GraduationSubject where departmentId = :departmentId ");params.put("departmentId", departmentId);if(level != "" && level != null){query.append("and level = :level ");params.put("level", level);}if(subjectType != "" && subjectType != null){query.append("and subjectType = :subjectType ");params.put("subjectType", subjectType);}if(subjectName != "" && subjectName != null){query.append(" and subjectName like :subjectName") ;params.put("subjectName", "%"+subjectName+"%");}if(teacherName != "" && teacherName != null){query.append(" and teacherName like :teacherName ");params.put("teacherName", "%"+teacherName+"%");}if(subjectOrientation != "" && subjectOrientation != null){query.append(" and subjectOrientation like :subjectOrientation");params.put("subjectOrientation", "%"+subjectOrientation+"%");}return this.list(GraduationSubject.class, query.toString(), params);}
0 0
- 关于毕设中使用hibernate的多条件模糊查询出现的还没有解决的bug的记录
- 关于hibernate的模糊查询.
- hibernate实现多条件组合的模糊查询
- hibernate 模糊查询中查询条件包含单引号的问题
- 关于hibernate模糊查询的不足
- hibernate查询满足指定条件的记录
- 在使用ibatis实现多条件模糊查询的语句
- mybatis多条件的模糊查询解决方案
- Linq 多条件模糊查询的方法
- mongoose 多条件模糊查询的实现
- Hibernate的条件查询
- 关于条件筛选出现的查询问题
- Hibernate的多条件查询通用方法(查询条件个数不限,能进行模糊、精确2种查...
- Hibernate中Criteria的使用(条件查询)
- 解决模糊查询的结果记录排序问题
- hibernate 关于date类型的模糊查询解决方法
- 关于记录的模糊搜索
- hibernate的模糊查询和sql查询
- hdoj 2111 Saving HDU
- javascript语言两种变量类型及存储方式
- 测试mysql单表排序是否有走索引
- 飞机调度
- dubbo源码分析-consumer端5-Filter
- 关于毕设中使用hibernate的多条件模糊查询出现的还没有解决的bug的记录
- Linux yum 软件安装
- synchronized使用
- 有关Java链表概念的有趣问题
- javascript笔记总结一
- mysql表导出导入测试(utf8-utf8)
- 强联通分量简讲(Tarjan算法)&&HDU 1269 迷宫城堡
- java--previousIndex()
- hadoop学习序曲之linux基础篇--linux的安装和使用