sql注入问题优化,order by 里面不能用下面这种方式,为了防止sql注入,验证输入的值是否合法,比如只能包含英文,数字和下划线应以英文开头
Map<String, Object> parameters = new HashMap<>();
sql.append(" where (lzbh like :keyword or lzmc like :keyword)");
parameters.put("keyword", "%" + page.getKeyword() + "%");
countSql.append(" qxdm = :qydm");
parameters.put("qydm", page.getQydm());
List<Long> bsmList
sql.append(" where bsm in(:bsmList)");
parameters.put("bsmList", bsmList);
查询时
Query query = entityManager.createNativeQuery(sql.toString());
parameters.forEach(query::setParameter);
List<HouseBuildingExcelDTO> excelDTOList = ModelMapperUtil.getStrictModelMapper().map(list, new TypeToken<List<HouseBuildingExcelDTO>>() {
}.getType());
CaseReportDO db = ModelMapperUtil.getStrictModelMapper().map(req, CaseReportDO.class);
pg数据库 date格式化
to_char(date_time,'yyyymmddHH24MIss')
标签:语句,bsmList,常用,keyword,parameters,开发,sql,put,append From: https://www.cnblogs.com/james-roger/p/18285749