如果你使用的是框架方式写的sql,就没问题,比如JPA支持@Query查询,
UserInfoRepository
/**
* @Author ZGM
* @DateTime 2022/1/24
* @description
*/
@Repository
public interface UserInfoRepository extends JpaRepository<UserInfo, Long>, JpaSpecificationExecutor<UserInfo> {
@Query(value = "select * from user_info info where info.profession = ?1",nativeQuery = true)
Page<UserInfo> selectAll(String profession, Pageable pageable);
}
UserService
/**
* @Author ZGM
* @DateTime 2022/1/4
* @description
*/
@Service
@RequiredArgsConstructor
@RefreshScope
public class UserService extends KeyGenService {
private final UserInfoRepository infoRepository;
@PersistenceContext
private EntityManager entityManager;
public Object list4(String profession){
Pageable pageable = PageRequest.of(0,15);
StringBuilder nativeQuerySql;
StringBuilder nativeCountSql;
Query dataQuery;
Query countQuery;
Map<String, Object> properties = Maps.newHashMap();
List<Map<String, Object>> resultList;
long totalEles;
nativeQuerySql = new StringBuilder("SELECT * FROM user_info ");
nativeCountSql = new StringBuilder("SELECT COUNT(*) FROM ( SELECT * FROM user_info ");
if (profession != null) {
nativeQuerySql.append(" where profession = profession ");
nativeCountSql.append(" where profession = profession ");
}
nativeCountSql.append(" ) as X ");
dataQuery = entityManager.createNativeQuery(nativeQuerySql.toString());
countQuery = entityManager.createNativeQuery(nativeCountSql.toString());
dataQuery.setFirstResult((int) pageable.getOffset());
dataQuery.setMaxResults(pageable.getPageSize());
dataQuery.unwrap(NativeQueryImpl.class).setResultTransformer(Transformers.ALIAS_TO_ENTITY_MAP);
totalEles = countQuery.getResultList() == null || countQuery.getResultList().size() == 0 ? 0 : Long.parseLong(countQuery.getResultList().get(0).toString());
resultList = dataQuery.getResultList();
return new PageImpl<>(resultList, pageable, totalEles);
}
public Page<UserInfo> list1(String profession){
Pageable pageable = PageRequest.of(0,15);
return infoRepository.selectAll(profession, pageable);
}
}
UserController
/**
* @Author ZGM
* @DateTime 2022/1/24
* @description
*/
@RestController
@RequestMapping("/v1/user")
@RequiredArgsConstructor
public class UserController {
private final UserService userService;
@PostMapping("/list4")
public Object list4(@RequestParam(required = false) String profession){
return userService.list4(profession);
}
@PostMapping("/list1")
public Object list1(@RequestParam String profession){
return userService.list1(profession);
}
}
当调用/list1接口时,传递的参数值为“通信”,打印的sql如下图所示,没有直接把参数值加进去,而是用?替代,之就说明框架自己做了防止SQL注入的处理
Hibernate: select * from user_info info where info.profession = ? limit ?
当调用/list4接口时,传递的参数值为“通信”,打印的sql如下图所示,直接把参数值加进去,这就没有做防止SQL注入的处理
Hibernate: SELECT * FROM user_info info where info.profession = '通信' limit ?
其他的框架应该也有类似的操作,只需要把sql打印出对比一下就知道了。