JdbcTemplate和hibernate写法防止SQL注入的占位符写法

1、JdbcTemplate涉及like模糊查询的占位符写法（针对mysql）

1）用concat函数

String sql="select category from movie where category like concat('%',?,'%')";

2）直接空格隔开

String sql="select category from movie where category like '%' ? '%'";

 

2、jbbc扩展名称参数类：namedParameterJdbcTemplate涉及like模糊查询的占位符写法

namedParameterJdbcTemplate实现sql in条件查询参数防注入

Map<String, Object> paramMap = new HashMap<>(4);
String sql = "select senior_code from pub_region where region_code in (:regionCodeList)";
paramMap.put("regionCodeList", regionCodeList);
List<String> seniorStringCodeList = namedParameterJdbcTemplate.queryForList(sql, 
paramMap, String.class);

3、Hibernate涉及like模糊查询的占位符写法

dao查询通过：占位符实现

Map<String, Object> param = new HashMap<>(16);
param.put("relationID", reportID);
param.put("relationTypeID", relationTypeIDArr);
List<PubMedia> mediaList = pubMediaDao.queryByWhere("relationID = :relationID 
and relationTypeID in (:relationTypeID)", param);

 

String hql = "select a from EventAnyType a where typeLevel = 3 and typeName like '%:searchInfo%'";
Map<String, Object> param = new HashMap<>();
param.put("searchInfo", searchInfo);
Pagination<EventAnyType> pagination = eventAnyTypeDao.getPagination(hql, 
currentPage, numPerPage, param);