# SQL拼接小技巧(一) #
2018/6/21 18:54:36
----------
**关键字: SQL , 1 = 1 ,1 = 2**
----------
如下代码中SQL拼接使用了1=1和1=2防止请求参数中条件为空或SQL注入的方式猜测表名,字段名
public DomainPage<RealNameVerifyInfo> getVerifyList(String vin, String name, String phoneNum, String status,
String dealerCode, String type, long startTime,
long endTime, int pageIndex, int pageSize) {
StringBuilder sb = new StringBuilder("SELECT * FROM REAL_NAME_VERIFY_INFO r WHERE 1 = 1 ");
if (StringUtils.isNotBlank(vin)) {
sb.append(" and r.vin like ‘%").append(vin).append("%‘ ");
}
if (StringUtils.isNotBlank(name)) {
sb.append(" and r.userName = ‘").append(name).append("‘");
}
if (StringUtils.isNotBlank(dealerCode)) {
sb.append(" and r.dealerCode = ‘").append(dealerCode).append("‘");
}
if (StringUtils.isNotBlank(type)) {
sb.append(" and r.type = ‘").append(type).append("‘");
}
if (StringUtils.isNotBlank(phoneNum)) {
sb.append(" and r.phoneNum = ‘").append(phoneNum).append("‘");
}
if (startTime > 0) {
sb.append(" and r.createdTime >= ‘").append(DateUtilsXX.dateToString(new Date(startTime), 1)).append("‘");
}
if (endTime > 0) {
sb.append(" and r.createdTime < ‘").append(DateUtilsXX.dateToString(new Date(endTime), 1)).append("‘");
}
if (StringUtils.isNotBlank(status)) {
String[] var1 = status.split(",");
sb.append(" and ( 1 = 2 ");
for (String var2 : var1) {
if (var2.equals("VERIFYING")) {
sb.append(" or ( r.status = ‘VERIFYING‘ )");
} else if (var2.equals("SUCCEED")) {
sb.append(" or ( r.status = ‘SUCCEED‘ )");
} else if (var2.equals("FAILED")) {
sb.append(" or ( r.status = ‘FAILED‘ )");
}
}
sb.append(" ) ");
} else {
sb.append(" and r.status != ‘").append(VerifyStatus.UNVERIFY).append("‘");
sb.append(" and r.status != ‘").append(VerifyStatus.SUBMITED).append("‘");
sb.append(" and r.status != ‘").append(VerifyStatus.PIC_DEALING).append("‘");
sb.append(" and r.status != ‘").append(VerifyStatus.PIC_WAITING).append("‘");
sb.append(" and r.status != ‘").append(VerifyStatus.CANCEL).append("‘");
sb.append(" and r.status != ‘").append(VerifyStatus.SUBMITTING).append("‘");
}
String sql = sb.toString();
Query query = em().createNativeQuery(" SELECT a.* FROM ( " + sql + " ORDER BY r.createdTime DESC ) as a GROUP BY a.vin ORDER BY a.createdTime DESC", RealNameVerifyInfo.class);
log.info(" SELECT a.* FROM ( " + sql + " ORDER BY r.createdTime DESC ) as a GROUP BY a.vin ORDER BY a.createdTime DESC ");
query.setFirstResult((pageIndex - 1) * pageSize);
query.setMaxResults(pageSize);
List<RealNameVerifyInfo> verifyInfoList = query.getResultList();
query = em().createNativeQuery(" SELECT count(*) FROM ( " + sql + " GROUP BY r.vin ) as a");
long count = Long.parseLong(String.valueOf(query.getResultList().get(0)));
DomainPage domainPage = new DomainPage(pageSize, pageIndex, count);
domainPage.setDomains(verifyInfoList);
//log.info("verifyInfoList" + JSONUtil.writeValueAsString(verifyInfoList));
//log.info("domainPage" + JSONUtil.writeValueAsString(domainPage));
return domainPage;
}
原文地址:https://www.cnblogs.com/zhangqingyan/p/9210578.html