sql语句中一些特殊字符的处理
2012-12-13 16:57
513 查看
为了防止SQL注入,同时避免用户输入特殊字符时查询结果不准确的问题(特别是 % _ ' 这三个字符)
public static String escapeSQL(String str) {
if (str == null || str.length() == 0) {
return str;
}
String[] chars = new String[4], escape = new String[4];
chars[0] = "\\";
escape[0] = "\\\\\\\\";
chars[1] = "\n";
escape[1] = "\\\\n";
chars[2] = "'";
escape[2] = "''";
chars[3] = "\r";
escape[3] = "\\\\r";
for (int i = 0; i < chars.length; ++i) {
str = str.replace(chars[i], escape[i]);
}
str = str.replace("%", "\\%").replace("_", "\\_");
return str.trim();
}这样处理的弊端:当用户输入带%或_的查询条件时, 会查不到数据。
解决办法 :动态加上ESCAPE '\'语句
sql语句:
<select id="SELECT.A_USR_S02.GET_LIST_USER"
parameterClass="my.com.honda.servicebooking.a_usr.dto.A_USR_S02_Input"
resultClass="my.com.honda.servicebooking.a_usr.dto.A_USR_S02_Output">
<include refid="sql_head" />
<dynamic prepend="and">
<isNotEmpty property="userType" prepend="">
U.USER_TYPE=#userType#
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="userStatus" prepend="">
U.USER_STATUS=#userStatus#
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="userName" prepend="">
<isNotEmpty property="userNameSingleQuotes" prepend="">
UPPER(U.USER_NAME) LIKE UPPER('%$userName$%') //此处检测当输入的查询条件中含有单引号',就不用'%'||#userName#||'%', </isNotEmpty> 而用%$userName$%
<isEmpty property="userNameSingleQuotes" prepend="">
UPPER(U.USER_NAME) LIKE UPPER('%'||#userName#||'%' )
</isEmpty>
<isNotEmpty property="userNamePercentOrUnderline" prepend="">
ESCAPE '\' //此处检测当输入的查询条件含有%或者_时,就加上ESCAPE '\'
</isNotEmpty>
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="idUser" prepend="">
<isNotEmpty property="idUserSingleQuotes" prepend="">
UPPER(U.USER_ID) LIKE UPPER('%$idUser$%')
</isNotEmpty>
<isEmpty property="idUserSingleQuotes" prepend="">
UPPER(U.USER_ID) LIKE UPPER('%'||#idUser#||'%')
</isEmpty>
<!-- idUser have % or _ -->
<isNotEmpty property="idUserPercentOrUnderline" prepend="">
ESCAPE '\'
</isNotEmpty>
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="svcCtrCode" prepend="">
S.SVC_CTR_CODE=#svcCtrCode#
</isNotEmpty>
</dynamic>
<dynamic>
ORDER BY UPPER(U.USER_ID) ASC,
UPPER(U.USER_NAME) ASC
</dynamic>
</select>
由于前面加了%和_的处理,那么单引号用这种方法就查不到数据了
解决办法:将'%'||#userName#||'%'替换成%$userName$%
*注: $param$ 是ibatis内部自带的,而#param#是oracle自带的,两者想过等价
public static String escapeSQL(String str) {
if (str == null || str.length() == 0) {
return str;
}
String[] chars = new String[4], escape = new String[4];
chars[0] = "\\";
escape[0] = "\\\\\\\\";
chars[1] = "\n";
escape[1] = "\\\\n";
chars[2] = "'";
escape[2] = "''";
chars[3] = "\r";
escape[3] = "\\\\r";
for (int i = 0; i < chars.length; ++i) {
str = str.replace(chars[i], escape[i]);
}
str = str.replace("%", "\\%").replace("_", "\\_");
return str.trim();
}这样处理的弊端:当用户输入带%或_的查询条件时, 会查不到数据。
解决办法 :动态加上ESCAPE '\'语句
sql语句:
<select id="SELECT.A_USR_S02.GET_LIST_USER"
parameterClass="my.com.honda.servicebooking.a_usr.dto.A_USR_S02_Input"
resultClass="my.com.honda.servicebooking.a_usr.dto.A_USR_S02_Output">
<include refid="sql_head" />
<dynamic prepend="and">
<isNotEmpty property="userType" prepend="">
U.USER_TYPE=#userType#
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="userStatus" prepend="">
U.USER_STATUS=#userStatus#
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="userName" prepend="">
<isNotEmpty property="userNameSingleQuotes" prepend="">
UPPER(U.USER_NAME) LIKE UPPER('%$userName$%') //此处检测当输入的查询条件中含有单引号',就不用'%'||#userName#||'%', </isNotEmpty> 而用%$userName$%
<isEmpty property="userNameSingleQuotes" prepend="">
UPPER(U.USER_NAME) LIKE UPPER('%'||#userName#||'%' )
</isEmpty>
<isNotEmpty property="userNamePercentOrUnderline" prepend="">
ESCAPE '\' //此处检测当输入的查询条件含有%或者_时,就加上ESCAPE '\'
</isNotEmpty>
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="idUser" prepend="">
<isNotEmpty property="idUserSingleQuotes" prepend="">
UPPER(U.USER_ID) LIKE UPPER('%$idUser$%')
</isNotEmpty>
<isEmpty property="idUserSingleQuotes" prepend="">
UPPER(U.USER_ID) LIKE UPPER('%'||#idUser#||'%')
</isEmpty>
<!-- idUser have % or _ -->
<isNotEmpty property="idUserPercentOrUnderline" prepend="">
ESCAPE '\'
</isNotEmpty>
</isNotEmpty>
</dynamic>
<dynamic prepend="and">
<isNotEmpty property="svcCtrCode" prepend="">
S.SVC_CTR_CODE=#svcCtrCode#
</isNotEmpty>
</dynamic>
<dynamic>
ORDER BY UPPER(U.USER_ID) ASC,
UPPER(U.USER_NAME) ASC
</dynamic>
</select>
由于前面加了%和_的处理,那么单引号用这种方法就查不到数据了
解决办法:将'%'||#userName#||'%'替换成%$userName$%
*注: $param$ 是ibatis内部自带的,而#param#是oracle自带的,两者想过等价
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- SQL或HQL预编译语句,可以防止SQL注入,可是不能处理%和_特殊字符
- SQL 语句中特殊字符的处理及预防sql 注射
- (转)SQL 语句中特殊字符的处理及预防sql 注射
- (转)SQL 语句中特殊字符的处理及预防sql 注射
- SQL语句处理含有特殊字符的表名
- SQL 语句中特殊字符的处理及预防sql 注射
- SQL或HQL预编译语句,能够防止SQL注入,但是不能处理%和_特殊字符
- SQL语句处理特殊字符的例子
- SQL 中单引号 和一些特殊字符的处理
- mysql sql语句中的特殊字符处理
- sql语句中含有特殊字符的处理方式
- 关于处理SQL特殊字符的基本方法总结
- mysql的sql语句特殊处理语句集合
- SQL处理从Excel中复制过来的数据时,特殊字符去不掉
- 如何解决在.Net中用Sql语句向SqlServer数据库中插入特殊字符失败的问题?
- SQL特殊字符的处理
- SqlServer和Oracle中一些常用的sql语句10 特殊应用
- 安卓开发SQlite使用执行SQL语句一些简单的处理——2.查询数据库的数据
- 简易的JS验证FORM表单特殊字符,防范SQL语句漏洞
- SQL语句对于多表联合查询重复字段的特殊语法处理