记一次拼接Sql的问题

2023-12-30 23:18:16

    <select id="queryList" parameterType="java.lang.String" resultType="com.hengtn.evaluation.dto.response.EvaluationRecordResponseDTO">
        SELECT
        r.id AS id,
        r.create_time AS createTime,
        r.city_name AS cityName,
        r.star_level AS starLevel,
        r.status AS status,
        r.user_phone AS userPhone,
        r.user_id AS userId,
        GROUP_CONCAT(o.worker_name) AS workerName,
        o.order_number AS orderNumber,
        r.label AS label,
        r.content_text AS contentText
        FROM
        evaluation_record r
        JOIN evaluation_record_order o ON r.id = o.record_id
        WHERE 1=1

        ${param}

        GROUP BY id
        ORDER BY
        FIELD( 'status', 'PENDING', 'PROCESSED', 'NOPENDING' ),
        r.star_level,
        r.create_time

    </select>

如上xml所示,如果用#{param}则会报sql语句错误,使用${}则能成功运行

原因为,#{param}会在参数的基础上在做一层处理,就会导致传入拼接好的字符串param发生改变,sql解析发生错误.

这也是#{}有效能防止sql注入的原因

另外, GROUP_CONCAT(o.worker_name) AS workerName 能合并多个因为分组而重合的列

GROUP BY id,适合处理一对多的情况

ORDER BY FIELD( 'status', 'PENDING', 'PROCESSED', 'NOPENDING' ) 可以根据列对应的值排序,OREDER BY 后的多个排序条件用逗号隔开。

上一篇:spring boot项目12:Kafka-基础使用


下一篇:php复习整理1--位运算符