mabaishui

mybatis防止sql注入

1、资料

http://my.oschina.net/chuibilong/blog/638950

 

使用foreach标签处理 in ()的情况

http://blog.csdn.net/gchonghavefun/article/details/8214223/

 

2、实践

List<OrderInfo> select2AllByBrands(@Param("paramBrands") List<Brand> brands,@Param("paramQuery") OrderInfo condition);

 

<if test="paramBrands != null" >
and brand.brand_id in
<foreach collection="paramBrands" item="perBrand" open="(" close=")" separator=",">
#{perBrand.brandId}
</foreach>
</if>

<if test="paramQuery.orderAddress != null" >
and ord.order_address like concat(\'%\',#{paramQuery.orderAddress},\'%\')
</if>
<if test="paramQuery.shippingSn != null" >
and brand.shipping_sn like concat(\'%\',#{paramQuery.shippingSn},\'%\')
</if>
<if test="paramQuery.orderId != null" >
and info.order_id like concat(\'%\',#{paramQuery.orderId},\'%\')
</if>
<if test="paramQuery.goodsName != null" >
and info.goods_name like concat(\'%\',#{paramQuery.goodsName},\'%\')
</if>
<if test="paramQuery.orderPayType != null" >
and ord.order_pay_type = #{paramQuery.orderPayType}
</if>
<if test="paramQuery.orderInfoState != null" >
and info.order_info_state = #{paramQuery.orderInfoState}
</if>
<if test="paramQuery.startDate != null" >
<![CDATA[and info.create_time >= #{paramQuery.startDate}]]>
</if>
<if test="paramQuery.endDate != null" >
<![CDATA[and info.create_time <= #{paramQuery.endDate}]]>
</if>

分类:

技术点:

相关文章: