我有一个可以有不同 where 子句的 sql 查询。我想将此子句动态插入到普通 sql 中:
val v1 = s"id = $id AND secondId IS NULL"
val v2 = s"secondId = $secondId"
val whereCondition = //v1 or v2 at runtime
val query = sql"select id from users where #$whereCondition"
如您所见,在 sql 注入的情况下是不安全的。有更安全的方法来构建这个 sql 吗?
【问题讨论】:
你可以有一个 queryConcatenator trait,它基本上将 SQLAction 组合在一起以动态创建 sql。
trait QueryConcatenator {
def concatQuery(firstQuery: SQLActionBuilder, secondQuery: SQLActionBuilder): SQLActionBuilder = {
SQLActionBuilder(
firstQuery.queryParts ++ secondQuery.queryParts,
new SetParameter[Unit] {
override def apply(v1: Unit, v2: PositionedParameters): Unit = {
firstQuery.unitPConv.apply(v1, v2)
secondQuery.unitPConv.apply(v1, v2)
}
}
)
}
然后你的 DbRepo 可以扩展连接器,你就在路上
class DbRepo extends QueryConcatenator {
def withDynamicFilter(maybeProductId:Option[Long]):Future[Vector[Product]] = {
val baseStatement = Seq(sql"""select * from products""")
val maybeFilter = if (maybeProductId.isEmpty) Seq(sql"") else Seq(sql" and productId = ${maybeProductId.get}")
val concatenatedSql = baseStatement ++ maybeFilter
val concatenatedActionBuilders =
concatenatedSql.reduce((query1, query2) => concatQuery(query1, query2))
db.run(concatenatedActionBuilders.as[Product])}
}
【讨论】: