ORDER BY clause is not working properly
2015-12-15 20:04
323 查看
用户可以自己在前端选择字段,动态排序。用MyBatis,SQL如下。发现ORDER BY没有起作用。
<select id="selectBudgetCategoryList" resultMap="BaseResultMap" parameterType="com.xxx.ConfigSearchParam">
<include refid="pageHeader"/>
select
<include refid="Base_Column_List" />
from EMR_BUDGET_CATEGORY
where 1=1
<if test="id != null and id != 0" >
and BUDGET_CATEGORY_REF_ID = #{id,jdbcType=DECIMAL}
</if>
<if test="name != null" >
and UPPER(BUDGET_CATEGORY) LIKE '%'||UPPER(#{name,jdbcType=VARCHAR})||'%'
</if>
<if test="deleteFlag != null" >
and DELETE_FLAG = #{deleteFlag,jdbcType=CHAR}
</if>
<if test="sortOrder != null and sortOrder != ''" >
order by #{sortOrder,jdbcType=VARCHAR}
</if>
<include refid="pageFoot"/>
</select>
调查结果如下:
#{} is used to put a parameter. This is the same as using ? in a PreparedStatement.
${} is string substitution. It doesn't use any parameter. This is the one that opens you to SQL injection.
To prevent SQL injection, the best thing to do is always use #{} when possible.
When you need to use ${}, make sure that the value is given by your code (usually a constant) and not by a user.
<select id="selectBudgetCategoryList" resultMap="BaseResultMap" parameterType="com.xxx.ConfigSearchParam">
<include refid="pageHeader"/>
select
<include refid="Base_Column_List" />
from EMR_BUDGET_CATEGORY
where 1=1
<if test="id != null and id != 0" >
and BUDGET_CATEGORY_REF_ID = #{id,jdbcType=DECIMAL}
</if>
<if test="name != null" >
and UPPER(BUDGET_CATEGORY) LIKE '%'||UPPER(#{name,jdbcType=VARCHAR})||'%'
</if>
<if test="deleteFlag != null" >
and DELETE_FLAG = #{deleteFlag,jdbcType=CHAR}
</if>
<if test="sortOrder != null and sortOrder != ''" >
order by #{sortOrder,jdbcType=VARCHAR}
</if>
<include refid="pageFoot"/>
</select>
调查结果如下:
#{} is used to put a parameter. This is the same as using ? in a PreparedStatement.
${} is string substitution. It doesn't use any parameter. This is the one that opens you to SQL injection.
To prevent SQL injection, the best thing to do is always use #{} when possible.
When you need to use ${}, make sure that the value is given by your code (usually a constant) and not by a user.
相关文章推荐
- Linux内存寻址
- 插入排序(直接插入排序和希尔(shell)排序
- Linux下静态IP地址的设置及TFTP服务的搭建
- 解决vmware虚拟机克隆后启动centos报错device eth0 does not seem to be present, delaying initialization
- 解决vmware虚拟机克隆后启动centos报错device eth0 does not seem to be present, delaying initialization
- hadoop 单节点安装
- Apache2.2.17源码编译安装以及配置虚拟主机
- linux 库文件查找及其可执行文件查找定位
- Linux C编程----3(gdb调试)
- hdu5072 coprime 容斥 和睦三元组
- linux中与test命令相同功能的[] __demo
- Unix环境高级编程第三版中实例代码如何在自己的linux上运行的问题
- CentOS开机自动运行程序的脚本
- CentOS开机自动运行程序的脚本
- openjudge 选择客栈
- 应用服务器之tomcat
- mexopencv配置
- 【B/S】IIS的配置以及发布网站
- 基于rails的schedule网站开发(14):第一次使用git stash
- Linux下启动和关闭mysql服务