NutzCN Logo
问答 如何用Dao去优化死值
发布于 2056天前 作者 wx_m34egglpcj6gvjmpmeh7 1624 次浏览 复制 上一个帖子 下一个帖子
标签:
pageNo = CommUtil.getPageNO(req);
			int pageSize = CommUtil.getPageSize(req);
			IRisunSQL sql = new RisunSQLHelp("1=1");
			String bData = req.getParameter("bDate");
			String eData = req.getParameter("eDate");
			if (Strings.IsNullOrEmpty(req.getParameter("orderNo"))) {
				sql.append(" and orderNo ='" + req.getParameter("orderNo") + "'");
			}
			if (Strings.IsNullOrEmpty(req.getParameter("orderStatus")) && !"-1".equals(req.getParameter("orderStatus"))) {
				sql.append(" and orderStatus = '" + req.getParameter("orderStatus") + "'");
			}
			if (Strings.IsNullOrEmpty(req.getParameter("orderType")) && !"0".equals(req.getParameter("orderType"))) {
				sql.append(" and orderType = '" + req.getParameter("orderType") + "'");
			}
			if (Strings.IsNullOrEmpty(bData) && Strings.IsNullOrEmpty(eData)) {
				bData += " 00:00:00";
				eData += " 23:59:59";
				sql.append(" and createDate BETWEEN'" + bData + "' and '" + eData + "'");
			}
			sql.append(" and softDelete='" + 0 + "'  order by createDate desc");
			boolean ca = isOk(req.getParameter("orderNo"),bData,eData);
			if(ca){
				pageNo = 0;
			}
			page = orderDao.findByWhere(sql, pageNo, pageSize);
7 回复

先定义一下死值

永远不要把req的参数直接拼入sql! 瞬间被注入!

@wendal IRisunSQL sql = new RisunSQLHelp("1=1"); 如何避免这种死值出现,给点思路呗

@lihongjie0209 IRisunSQL sql = new RisunSQLHelp("1=1");这种死值想规避掉

添加回复
请先登陆
回到顶部