sql注入 过滤_mybatis sql注入_sql注入攻击

Parameter

1. 传入简单类型

JA代码:

public User get(Long id) {	
	return (User) getSqlSession().selectOne("com.liulanghan.get" , id);
}

MAPPER :

<select id="findUserListByIdList" parameterType="java.lang.Long" resultType="User">
		select * from user where  id = #{id};
</select>

2. 传入List

JA代码:

public List<Area> findUserListByIdList(List<Long> idList) {
		return getSqlSession().selectList("com.liulanghan.findUserListByIdList", idList);
	}

MAPPER :

    <select id="findUserListByIdList" parameterType="java.util.ArrayList" resultType="User">
		select * from user user
		<where>
			user.ID in (
			<foreach item="guard" index="index" collection="list"
				separator=","> #{guard} </foreach>
			)
		</where>
	</select> 

单独传入list时，foreach中的collection必须是list，不不管变量的具体名称是什么。比如这里变量名为idList，

collection却是是list。

3. 传入数组

JA代码:

public List<Area> findUserListByIdList(int[] ids) {
		return getSqlSession().selectList("com.liulanghan.findUserListByIdList", ids);
	}

MAPPER :

 <select id="findUserListByIdList" parameterType="java.util.HashList" resultType="User">
		select * from user user
		<where>
			user.ID in (
			<foreach item="guard" index="index" collection="array"
				separator=","> #{guard} </foreach>
			)
		</where>
	</select>   

单独传入数组时，foreach中的collection必须是array，不不管变量的具体名称是什么。比如这里变量名为ids，

collection却是是array

4. 传入map

JA代码:

public boolean exists(Map<String, Object> map){
		Object count = getSqlSession().selectOne("com.liulanghan.exists", map);
		int totalCount = Integer.parseInt(count.toString());
		return totalCount > 0 ? true : false;
	}

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-35320-1.html