Код: Выделить всё
return iSearchResultsService.getProductSearchResult(searchresultbean);
< /code>
Как я могу переписать этот запрос, чтобы предотвратить инъекцию SQL?
public List getSearchResults(
@RequestBody SearchResultsBean searchresultbean,
@PathVariable("cId") int catalogId, @PathVariable("region") String region,
@PathVariable("languageId") int languageId) {
logger.info(" Search Result Controller Started");
if(catalogId >= 0) {
int catId=Integer.parseInt(Integer.toString(catalogId));
searchresultbean.setCatId(catId);
} else {
searchresultbean.setCatId(catalogId);
}
searchresultbean.setLangId(languageId);
searchresultbean.setRegion(region);
char[][] replaceChars = new char[1][2];
char[] badChars = new char[2];
// Characters to be replaced (e.g. replace '*' with '%')
replaceChars[0][0] = '*';
replaceChars[0][1] = '%';
// Characters to be removed from product description search
badChars[0] = '*';
badChars[1] = '\'';
searchresultbean.setReplaceChars(replaceChars);
searchresultbean.setBadChars(badChars);
Map buuidMap = iSearchResultsService.getUnitId(region, cId,
languageId);
if (buuidMap.size() > 0) {
searchresultbean.setBuId((int) buuidMap.get("business_unit_id"));
}
logger.info(" Product Search Result Controller Exit");
return iSearchResultsService.SearchResult(searchresultbean);
}
}
public String getSearchQuery(searchresultbean searchresultbean) {
logger.info("Search Result Sql QueryBuild function started");
searchresultbean.setReturnStyle(1);
StringBuilder queryString = new StringBuilder();
queryString.append(buildSQLSelectFields(searchresultbean));
queryString.append(buildSQLFrom(searchresultbean));
//queryString.append(buildSQLWhereClause(searchresultbean));
queryString.append(this.buildSQLOrderBy(searchresultbean.getOrderBy()));
logger.info(" Search Result Sql QueryBuild function Exit");
return queryString.toString();
}
}
private String buildSQLWhereClause(searchresultbean searchresultbean) {
logger.info("Inside the Search Result Sql WHERE CLAUSE function started");
StringBuilder whereClause = new StringBuilder(" WHERE 1 = 1 ");
if (searchresultbean.getDId() > 0) {
whereClause.append(
SqlHelper.getSqlArgs("AND", "v.id", String.valueOf(searchresultbean.getDId()),
SqlHelper.NUMBER, false, true, searchresultbean.getReplaceChars()));
}
if (!StringUtils.isEmpty(searchresultbean.getNum())) {
whereClause
.append(SqlHelper.getSqlArgs("AND", "v._num", searchresultbean.getNum(),
SqlHelper.TEXT, true, true, searchresultbean.getReplaceChars()));
}
if (!StringUtils.isEmpty(searchresultbean.getDesc())) {
boolean flag = searchresultbean.isUseBoolAndWhereClause();
whereClause.append(buildDescClause(searchresultbean.getDesc(),
searchresultbean.getBadChars(), flag));
}
if (searchresultbean.getId() > 0) {
whereClause.append(
SqlHelper.getSqlArgs("AND", "v.id", String.valueOf(searchresultbean.getId()),
SqlHelper.NUMBER, false, true, searchresultbean.getReplaceChars()));
}
if (!StringUtils.isEmpty(searchresultbean.getName())) {
whereClause.append(
SqlHelper.getSqlArgs("AND", "v.name", searchresultbean.getName(),
SqlHelper.TEXT, true, true, searchresultbean.getReplaceChars()));
}
if (!StringUtils.isEmpty(searchresultbean.getNum())) {
whereClause
.append(SqlHelper.getSqlArgs("AND", "v.num", searchresultbean.getNum(),
SqlHelper.TEXT, true, true, searchresultbean.getReplaceChars()));
}
if (!StringUtils.isEmpty(searchresultbean.getStdNum())) {
whereClause.append(
SqlHelper.getSqlArgs("AND", "v.stdnum", searchresultbean.getStdNum(),
SqlHelper.TEXT, true, true, searchresultbean.getReplaceChars()));
}
if (!searchresultbean.getIncludeOff()) {
whereClause.append(" AND v.flag = 1");
}
if (searchresultbean.getFilterFlag()) {
whereClause.append(" AND v.flag1 = 1");
}
whereClause.append(" AND v.ID=").append(searchresultbean.getId()).append(' ');
whereClause.append("AND ISNULL(bup.FLAG, 0) != 1 ");
// Software Type filter
if (searchresultbean.getSOFTWAREId() > 0) {
whereClause.append(" AND dp.software_type_id = ");
whereClause.append(searchresultbean.getSoftwareId() + "\n");
}
// Licensing filters
if (searchresultbean.isLSearch()) {
buildWhereClauseForsodtware(whereClause, searchresultbean);
}
logger.info("Search Result Sql WHERE CLAUSE");
return whereClause.toString();
}
Подробнее здесь: https://stackoverflow.com/questions/796 ... in-my-code