问题:使用in查询查询出一批数据,in查询的参数是字符串拼接的。调试过程中,把mybatis输出的sql复制到navicat中,在控制台将sql的参数也复制出来,替换到sql的字符 '?' 的位置,执行sql,能查询到数据,但是java程序无法查询到数据。
原因:因为mybatis的参数占位符以#字符开头的参数,在处理过程中会自动给参数加引号,及一些字符过滤处理(例如防止sql注入等等)
解决方式: in查询的参数占位符换成字符$开头,因为mybatis在处理 $ 开头的参数占位符时候不会给参数加引号及其他额外处理(例如sql注入字符过滤),使用的是参数原值。
mybatis 参数查询修改前片段
AND a.source in (#{source})
mybatis 参数查询修改后片段
AND a.source in (${source})
其他: 因为mybatis的参数占位符以#字符开头的参数,在处理过程中会自动给参数加引号,那么是加单引号还是双引号呢?
实际上mybatis对这个#开头的参数参数进行了参数化处理,防止注入。
如果参数拼接 top_news','net_music','knowledge_sns','wb ,如果#开头参数处理是单纯加单引号,那么sql条件语句如果变成如下这样,是可以查询到数据的,但是结果是没有查询到数据,说明,时间拼接的数据不是如下的结果,结果是#开头的参数不是单纯的加单引号处理
AND a.source in ('top_news','net_music','knowledge_sns','wb')
如果参数拼接使用双引号拼接如下 top_news","net_music","knowledge_sns","wb ,如果#开头参数处理是单纯加双引号,那么sql条件语句如果变成如下这样,是可以查询到数据的,但是结果是没有查询到数据,说明,实际拼接的数据不是如下的结果,结果是#开头的参数不是单纯的加双引号处理
AND a.source in ("top_news","net_music","knowledge_sns","wb")
至于#开头的参数到底怎么处理的,既不是单纯加单引号也不是单纯加双引号,具体做了哪些处理,请阅读源码。反正mybatis进行in查询时,参数是拼接好的字符串的时候,参数占位符使用$,而不使用#,在使用$做参数占位符时候,给参数赋值前确保代码里做了防注入处理或者已知的代码是安全的不存在sql注入的,可以直接使用$作为参数占位符。
mybatis xml 文件(修改前),in查询参数使用占位符使用字符#
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.thinkgem.jeesite.modules.backend.dao.ChannelDao">
<sql id="channelColumns">
a.id AS "id",
a.name AS "name",
a.source AS "source",
a.url AS "url",
a.create_by AS "createBy.id",
a.update_by AS "updateBy.id",
a.update_date AS "updateDate",
a.create_date AS "createDate",
a.remarks AS "remarks",
a.del_flag AS "delFlag"
</sql>
<sql id="channelJoins">
</sql>
<select id="findList" resultType="Channel">
SELECT
<include refid="channelColumns"/>
FROM mkt_channel a
<include refid="channelJoins"/>
<where>
a.del_flag = #{DEL_FLAG_NORMAL}
<if test="source != null and source!=''">
AND a.source in (#{source})
</if>
<if test="createBy != null">
AND a.create_by = #{createBy.id}
</if>
</where>
<choose>
<when test="page !=null and page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY a.update_date DESC
</otherwise>
</choose>
</select>
</mapper>
ChannelController.java
@Controller
@RequestMapping(value = "${a}/backend/channel")
public class ChannelController extends BaseController {
@Autowired
private ChannelService channelService;
@Autowired
private SystemService systemService;
@RequiresPermissions("backend:channel:view")
@RequestMapping(value = {"list", ""})
public String list(Channel channel, HttpServletRequest request, HttpServletResponse response, Model model) {
String sourceName= request.getParameter("sourceName");
String srcStr = null;
boolean srcFindDo = false;
if(StringUtils.isNotEmpty(sourceName)) {
Map<String, Object> findedChannelMap = SourceUtils.getInstance().searchSourceList(sourceName);
srcStr = (String) findedChannelMap.get("srcStr");
srcFindDo = true;
}
String createBy = request.getParameter("createBy");
channel.setCreateBy(null);
createBy = XssFilter.getInstance().cleanXssChars(createBy);
if(StringUtils.isNotEmpty(createBy)) {
User user = systemService.getUserById(createBy);
if(null != user) {
channel.setCreateBy(user);
}
}
Page<Channel> page = new Page<>();
if(srcFindDo && StringUtils.isEmpty(srcStr)){
page.setList(new ArrayList<>());
page.setPageNo(0);
page.setPageSize(0);
page.setCount(0);
page.setMessage("没有找到数据");
}
else {
channel.setUtmSource(labelStr);
page = channelService.findPage(new Page<Channel>(request, response), channel);
}
model.addAttribute("page", page);
return "modules/backend/channelList";
}
}
SourceUtils.java
package com.thinkgem.jeesite.common.utils;
import com.thinkgem.jeesite.modules.backend.entity.ChannelSource;
import com.thinkgem.jeesite.modules.sys.entity.Dict;
import com.thinkgem.jeesite.modules.sys.utils.DictUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.*;
public class SourceUtils {
private Logger logger = LogManager.getLogger(SourceUtils.class);
private ChannelSourceFacade channelSourceFacade;
private static SourceUtils instance;
private SourceUtils() {
channelSourceFacade = SpringContextHolder.getBean(ChannelSourceFacade.class);
}
public static SourceUtils getInstance() {
if (null == instance) {
instance = new SourceUtils();
}
return instance;
}
/**
* 获取所有的来源列表
* @return
*/
public List<ChannelSource> getAllSource() {
List<ChannelSource> dataList = new ArrayList<>();
Response<List<ChannelSource>> response = channelSourceFacade.getChannelSourceList();
dataList = response.getData();
return dataList;
}
/**
* 根据来源名称模糊查找渠道
* @return
*/
public Map<String,Object> searchChannelList(String label,String desc,String code) {
Map<String,Object> dictMap = new HashMap<>();
String labelStr = "";
List<ChannelSource> findedList = new ArrayList<>();
List<ChannelSource> srcList = getAllChannelDict();
if(null != srcList && srcList.size() > 0) {
for (ChannelSource item : srcList) {
if (dictMap.containsKey(item.getLabel())) {
continue;
}
if(channelMatch(name,item)) {
findedList.add(item);
srcStr = String.format("%s'%s',",srcStr,item.getLabel());
}
}
}
if(srcStr.length() > 1) {
//移除最后一个逗号和2个引号
srcStr = srcStr.substring(0, srcStr.length() - 1);
}
dictMap.put("srcStr",srcStr);
dictMap.put("findedList",findedList);
return dictMap;
}
private boolean channelMatch(String sourceName,Dict item) {
boolean result = true;
name = null == name ? "" : name;
if (StringUtils.isNotEmpty(name)) {
if (dict.getDescription().indexOf(desc) == -1) {
result = false;
return result;
}
}
return result;
}
}