本文探讨了如何使用StringBuffer动态构建SQL查询语句,并通过参数化方式避免SQL注入风险,展示了条件判断在SQL拼接中的应用。
StringBuffer param = new StringBuffer();
StringBuffer sb=new StringBuffer("");
sb.append(" SELECT");
sb.append(" ID");
sb.append(",NAME");
sb.append(",FN_HREF");
sb.append(",FN_TYPE");
sb.append(",ORDER_NUM");
sb.append(" FROM");
sb.append(" CXTJ_DEFINE");
sb.append(" WHERE 1=1 ");
sb.append(" AND STATUS = 1");
sb.append(" AND ID IN (");
sb.append(" SELECT");
sb.append(" DATA_ID");
sb.append(" FROM");
sb.append(" YWZNGK_AUTHORIZE_RES_DATA");
sb.append(" WHERE 1=1 ");
if(StringUtils.isNotEmpty(oruIdStr)){
sb.append(" AND ORU_ID IN (");
sb.append(oruIdStr.replaceAll("[^,]+", "?"));
sb.append(")");
param.append("#").append(oruIdStr.replaceAll(",", "#"));
}
sb.append(" AND DATA_TYPE = 'S'");
sb.append(" )");
if(StringUtils.isNotEmpty(statisticsType)){
sb.append(" AND FN_TYPE=?");
param.append("#").append(statisticsType);
}
if(StringUtils.isNotEmpty(statisticsName)){
sb.append(" AND FN_NAME LIKE ?");
param.append("#%").append(statisticsName).append("%");
}
Object[] paramArr;
if(param.length()>0){
paramArr = param.deleteCharAt(0).toString().split("#");
}else {
paramArr =null;
}
List<Map<String,Object>> list=this.sqlQueryForList(sb.toString(),paramArr);
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
