1、先通过前置通知获得参数,然后防止sql注入,先进行清空
/**
* 拼接权限sql前先清空params.dataScope参数防止注入
*/
private void clearDataScope(final JoinPoint joinPoint)
{
Object params = joinPoint.getArgs()[0];
if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
{
BaseEntity baseEntity = (BaseEntity) params;
baseEntity.getParams().put(DATA_SCOPE, "");
}
}2、将sql语句拼接到参数上去
if (StringUtils.isNotBlank(sqlString.toString()))
{
Object params = joinPoint.getArgs()[0];
if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
{
BaseEntity baseEntity = (BaseEntity) params;
baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
}
}3、sql语句进行拼接
<select id="selectQzStorageCheckList" parameterType="QzStorageCheck" resultMap="QzStorageCheckResult">
<include refid="selectQzStorageCheckVo"/>
<where>
<if test="storageName != null and storageName != ''"> and a.storage_name like concat('%', #{storageName}, '%')</if>
<if test="deptName != null and deptName != ''"> and d.dept_name like concat('%', #{deptName}, '%')</if>
<if test="isProClassify != null "> and a.is_pro_classify = #{isProClassify}</if>
<if test="isStandardStore != null "> and a.is_standard_store = #{isStandardStore}</if>
<if test="params.beginCheckTime != null and params.beginCheckTime != '' and params.endCheckTime != null and params.endCheckTime != ''"> and check_time between #{params.beginCheckTime} and #{params.endCheckTime}</if>
<!-- 数据范围过滤 -->
${params.dataScope}
</where>
order by create_time desc
</select>总结,该切面的解决思路是所以入参继承同一个基类baseEntery,必将有同意的参数结构面其进行分析,拼接sql语句,达到最终数据过滤的效果,方法简单好用,思路新颖,值得推荐学习共勉
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
