/**
* 防止sql注入 改造成直接用prepareStatement 预处理sql
*
* @param sql
* @param params
* @return
*/
@Override
public List<Map<String, Object>> executeSql(String sql, Object[] params) {
log.debug("----【queryServiceDAOImpl.executeSql】入参 : " + sql + " params= " + params);
System.out.println(sql);
System.out.println(params);
Connection conn = null;
ResultSet rs = null;
PreparedStatement ps = null;
List<Map<String, Object>> mapList = new ArrayList<>();
try {
//sqlsessionTemplate是mybatis整合Spring包里面的
conn = sqlSessionTemplate.getConnection();
ps = conn.prepareStatement(sql);
if (params != null) {
// 欲处理 数据
for (int i = 0; i < params.length; i++) {
ps.setObject(i + 1, params[i]);
}
//精髓的地方就在这里,
// 类ResultSet有getMetaData()会返回数据的列和对应的值的信息,
// 然后我们将列名和对应的值作为map的键值存入map对象之中...将响应结果封装到map中
rs = ps.executeQuery();
ResultSetMetaData rsmd = rs.getMetaData();
while (rs.next()) {
Map<String, Object> map = new HashMap<>();
for (int i = 0; i < rsmd.getColumnCount(); i++) {
String col_name = rsmd.getColumnLabel(i + 1);
Object col_value = rs.getObject(col_name);
if (col_value == null) {
col_value = "";
}
map.put(col_name, col_value);
}
mapList.add(map);
}
}
return mapList;
} catch (Exception throwables) {
log.error("--------------");
return null;
}finally {
try {
if (ps != null) {
ps.close();
}
if (rs != null) {
rs.close();
}
} catch (SQLException throwables) {
log.error("--------------");
}
}
}
sql
select a.user_id userId,a.name userName,a.password userPwd
from u_user a where a.name = ?
and a.password = ?、、
==========================>
usern=1 password =2
``
`