jfianl sql 使用append 拼接,防sql注入

  public Page<Channel> getChannelByPage(int pageNum, int pageSize, Map<String , String> paramMap){
        String sql = "SELECT * ";
        String orderBy = " ORDER BY id DESC";
        StringBuilder condition = new StringBuilder("");
        condition.append(" FROM tb_channel WHERE 1=1 ");

        List<Object> values = new ArrayList<Object>();

        if(StringUtils.isNotBlank(paramMap.get("channel_id"))){
            condition.append(" AND channel_id LIKE ?");
            values.add("'%"+paramMap.get("channel_id")+"%'" );
        }
        if(StringUtils.isNotBlank(paramMap.get("channel_name"))){
            condition.append(" AND channel_name LIKE ?");
            values.add("'%"+paramMap.get("channel_name")+"%'" );
        }
        Page<Channel> channel = super.paginate(pageNum, pageSize, sql, condition + orderBy,values.toArray() );
        return channel;
    }

 

posted @ 2017-03-04 18:19  phyxis_xu  阅读(874)  评论(0编辑  收藏  举报