代码段: String hql="from PrpLregist p where registNo= '"+prpLregist.getRegistNo()+"'"; List<PrpLregist> prpLregistList = super.findByHql(hql); 问题: 存在SQL注入风险,正确方法为 String hql="from PrpLregist p where registNo= ?"; List<PrpLregist> prpLregistList = super.findByHql(hql,prpLregist.getRegistNo());