不能直接拼装sql,防注入的写法
import java.util.ArrayList;
import java.util.HashMap;
import com.isca.framework.utils.Util;
import java.util.Map;
import java.util.List;
public List<Asset> findBy(String assetName ,String assetType ,String status) {
List<String> roles = SpringSecurityUtils.getCurrentUserRoles(); // 获取当前用户角色集合
String hql = "from Asset where 1=1 and status = "+status;
Map<String, Object> values = new HashMap<String, Object>();
if (!(Util.isEmpty(assetName))) {
hql = hql + " and name like :name";
values.put("name", "%" + assetName + "%");
}
if (!(Util.isEmpty(assetType))) {
String[] arrayOfString1;
hql = hql + " and type in (:type)";
String[] typeArray = assetType.split(",");
List<String> type = new ArrayList<String>();
int j = (arrayOfString1 = typeArray).length;
for (int i = 0; i < j; ++i) { String string = arrayOfString1[i];
type.add(string);
}
values.put("type", type);
}
if (null != roles && roles.size() == 1&& roles.get(0).equals("ROLE_OPERATOR")) { // 该用户为设备管理员
hql = hql + " and personId = :personId";
values.put("personId",SpringSecurityUtils.getUserId());
}
hql = hql + " order by id desc";
return this.assetDao.find(hql, values);
}