if(linkName!=null&&!"".equals(linkName)){ sql += " and linkname like ? " ; params.add("'"+linkName+"%'"); } if(linkPhone!=null&&!"".equals(linkPhone)){ sql += " and linkphone like ? " ; params.add("'"+linkPhone+"%'"); }
用PrepareStatment可以防注入。 注入就是传给的字段有可能是一条SQL语句。 比如,你要查用户,拼的SQL是 "select * from user where username='inputName'" 人家在页面给你传入的inputName是<'; delete user; select '> 你拼成的SQL就是"select * from user where username=''; delete user; select ''" 这样,你一执行就把自己的用户表数据全删除了。
那就用拼凑hql 语句 实体类 a = new 实体类构造函数(); Map m = new hashMap(); StringBuffer hql = new StringBuffer(); hql.append("from 实体类 as a where 1=1 "); 【1=1 后面留点空格最好】if(!a.XXX.trim().equels("")){ hql.append(" or a.XXX like :name ") map.put("name","value1");
} if(!a.YYY.trim().equels("")){ hql.append(" or a.YYY like :age"); map.put("age","value2");}
hibernate.find(hql.toString(),map); //...
String sql = "select u.* from user u where 1=1"; StringBuffer condition = ""; Map<String,Object> parms = new HashMap<String,Object>():if (!"".euqals(request.getParameter("username")) { condition.append(" and u.username =:username"); parms.put("username",request.getParameter("username")); }dao.findBySql(User.class,sql+condition.toString,parms); 在dao中处理语句和map
if(linkName!=null&&!"".equals(linkName)){
sql += " and linkname like ? " ;
params.add("'"+linkName+"%'");
}
if(linkPhone!=null&&!"".equals(linkPhone)){
sql += " and linkphone like ? " ;
params.add("'"+linkPhone+"%'");
}
注入就是传给的字段有可能是一条SQL语句。
比如,你要查用户,拼的SQL是 "select * from user where username='inputName'"
人家在页面给你传入的inputName是<'; delete user; select '>
你拼成的SQL就是"select * from user where username=''; delete user; select ''"
这样,你一执行就把自己的用户表数据全删除了。
就用jdbc的?
用setObject,当然如果还有Null情况,就有个setNull2个循环好了
自从放弃hibernate以后,我就是这么干的,自己实现一下简单的orm就能解决大多数应用情景了
放弃hibernate以后,那就用ibatis
实体类 a = new 实体类构造函数();
Map m = new hashMap();
StringBuffer hql = new StringBuffer();
hql.append("from 实体类 as a where 1=1 "); 【1=1 后面留点空格最好】if(!a.XXX.trim().equels("")){
hql.append(" or a.XXX like :name ")
map.put("name","value1");
}
if(!a.YYY.trim().equels("")){
hql.append(" or a.YYY like :age");
map.put("age","value2");}
hibernate.find(hql.toString(),map);
//...
StringBuffer condition = "";
Map<String,Object> parms = new HashMap<String,Object>():if (!"".euqals(request.getParameter("username")) {
condition.append(" and u.username =:username");
parms.put("username",request.getParameter("username"));
}dao.findBySql(User.class,sql+condition.toString,parms);
在dao中处理语句和map