sql注入问题优化,order by 里面不能用下面这种方式,为了防止sql注入,验证输入的值是否合法,比如只能包含英文,数字和下划线应以英文开头 Map<String, Object> parameters = new HashMap<>(); sql.append(" where (lzbh like :keyword or lzmc like :keyword)"); parameters.put("keyword", "%" + page.getKeyword() + "%"); countSql.append(" qxdm = :qydm"); parameters.put("qydm", page.getQydm()); List<Long> bsmList sql.append(" where bsm in(:bsmList)"); parameters.put("bsmList", bsmList); 查询时 Query query = entityManager.createNativeQuery(sql.toString()); parameters.forEach(query::setParameter); 数组到排序 notEmptyList.sort(Comparator.comparing(StationQueryVO::getCurrentValue).reversed()); List<HouseBuildingExcelDTO> excelDTOList = ModelMapperUtil.getStrictModelMapper().map(list, new TypeToken<List<HouseBuildingExcelDTO>>() { }.getType()); CaseReportDO db = ModelMapperUtil.getStrictModelMapper().map(req, CaseReportDO.class); pg数据库 date格式化 to_char(date_time,'yyyymmddHH24MIss')