Mybatis-plus如何在xml中传入自定义的SQL语句
项目场景
项目需求需要在一个框架上二开,原框架有权限校验会返回对应的权限sql语句。
例如:
在获取用户当前组织及下级组织后拼接生成的SQL:
AND ( settlement_company_id IN ( '06eb1b4ce4d24e368319188bb4fc6390', '9ff034739e984f188612c671219ddfed', 'afe69288c0b84828bd2abcb1c5eec28a' ) )
因为有使用到关联查询,无法直接使用QueryWrapper的apply来拼接语句,只能在xml中拼接。
问题描述
查询传入实体:
@Data public class YygkBankAccountQueryForm { /** * 数据权限Sql */ @ApiModelProperty(value = "数据权限Sql") private String extraSql; }
Mapper类:
public interface YygkBankAccountMapper extends BaseMapper<YygkBankAccountEntity> { /** * 分页查询银行账户 * * @param iPage 分页数据 * @param yygkBankInfoQueryForm 查询参数 * @return IPage<YygkBankAccountEntity> */ IPage<YygkBankAccountEntity> queryPage(IPage<YygkBankAccountEntity> iPage, @Param("query") YygkBankAccountQueryForm yygkBankInfoQueryForm); }
XML的查询SQL语句:
<select id="queryPage" resultMap="BaseMap"> SELECT <include refid="YygkBankAccountSql"/> FROM yygk_bank_account ba LEFT JOIN yygk_currency_info ci ON ba.currency_id = ci.id <where> ba.delete_mark != 1 <if test="query.extraSql != null and query.extraSql != ''"> AND #{query.extraSql} </if> </where> ORDER BY ba.sort DESC </select>
query.extraSql为我需要拼接的SQL语句。
执行查询的打印日志:
2022-06-17 18:59:55.981 DEBUG 16768 --- [io-30601-exec-1] c.g.y.m.Y.queryPage_mpCount : ==> Preparing: SELECT COUNT(1) FROM yygk_bank_account ba WHERE ba.delete_mark != 1 AND ?
2022-06-17 18:59:56.088 DEBUG 16768 --- [io-30601-exec-1] c.g.y.m.Y.queryPage_mpCount : ==> Parameters: (settlement_company_id in( '06eb1b4ce4d24e368319188bb4fc6390','9ff034739e984f188612c671219ddfed','afe69288c0b84828bd2abcb1c5eec28a' ) )(String)
2022-06-17 18:59:56.174 DEBUG 16768 --- [io-30601-exec-1] c.g.y.m.Y.queryPage_mpCount : <== Total: 1
可以看到在执行了mybatis-plus的count查询后并没有再执行查询数据
原因分析
怀疑是要用SQL注入才能拼接SQL语句
解决方案
xml的SQL语句改为使用SQL注入:
<select id="queryPage" resultMap="BaseMap"> SELECT <include refid="YygkBankAccountSql"/> FROM yygk_bank_account ba LEFT JOIN yygk_currency_info ci ON ba.currency_id = ci.id <where> ba.delete_mark != 1 <if test="query.extraSql != null and query.extraSql != ''"> AND ${query.extraSql} </if> </where> ORDER BY ba.sort DESC </select>
将#{}替换成${}
2022-06-17 19:21:05.437 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.Y.queryPage_mpCount : ==> Preparing: SELECT COUNT(1) FROM yygk_bank_account ba WHERE ba.delete_mark != 1 AND (settlement_company_id IN ('06eb1b4ce4d24e368319188bb4fc6390', '9ff034739e984f188612c671219ddfed', 'afe69288c0b84828bd2abcb1c5eec28a'))
2022-06-17 19:21:05.523 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.Y.queryPage_mpCount : ==> Parameters:
2022-06-17 19:21:05.598 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.Y.queryPage_mpCount : <== Total: 1
2022-06-17 19:21:05.630 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.YygkBankAccountMapper.queryPage : ==> Preparing: SELECT ci.currency_code as currency_code, ba.id, ba.bank_id, ba.bank_name, ba.bank_short_name, ba.bank_english_name, ba.swift_code, ba.account_name, ba.sort, ba.account_number, ba.receipts_payment_type, ba.internal_account, ba.settlement_type, ba.account_type, ba.deposit_type, ba.settlement_company_id, ba.settlement_company_name, ba.default_mark, ba.currency_id, ba.currency_code, ba.account_identification, ba.opening_bank_identification, ba.billing_account, ba.remark, ba.creator_time, ba.creator_user_id, ba.creator_user, ba.last_modify_time, ba.last_modify_user_id, ba.last_modify_user, ba.enable_mark, ba.delete_time, ba.delete_user_id, ba.delete_mark FROM yygk_bank_account ba LEFT JOIN yygk_currency_info ci ON ba.currency_id = ci.id WHERE ba.delete_mark != 1 AND (settlement_company_id in( '06eb1b4ce4d24e368319188bb4fc6390','9ff034739e984f188612c671219ddfed','afe69288c0b84828bd2abcb1c5eec28a' ) ) ORDER BY ba.sort DESC LIMIT ?
2022-06-17 19:21:05.635 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.YygkBankAccountMapper.queryPage : ==> Parameters: 20(Long)
2022-06-17 19:21:05.651 DEBUG 9008 --- [io-30601-exec-2] c.g.y.m.YygkBankAccountMapper.queryPage : <== Total: 2
可以看到在执行了mybatis-plus的count查询后,继续执行了查询数据语句。
虽然问题解决,但我还是不理解为何将#{}换成${}就能成功。。。
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。
相关文章
如何利用Retrofit+RxJava实现网络请求的异常处理
这篇文章主要介绍了如何利用Retrofit+RxJava实现网络请求的异常处理,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧2019-04-04详解SpringBoot 发布ApplicationEventPublisher和监听ApplicationEvent事
这篇文章主要介绍了详解SpringBoot 发布ApplicationEventPublisher和监听ApplicationEvent事件,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧2019-06-06
最新评论