Skip to content

iBiz4j Spring R7
iBiz4j Spring R7
提交 778c6584 编写于 作者: zhouweidong's avatar zhouweidong
浏览文件
操作

直接SQL支持?占位符,放置SQL注入

上级 628d0520
隐藏空白字符变更
内嵌 并排
正在显示 包含 66 行增加39 行删除
SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/mapper/%DE%Mapper.java.ftl
浏览文件 @ 778c6584
......@@ -6,6 +6,7 @@ package ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().codeName?lower_c
import java.util.List;
import org.apache.ibatis.annotations.*;
import java.util.Map;
import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
import com.baomidou.mybatisplus.core.metadata.IPage;
......@@ -54,7 +55,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
* @return
*/
@Select("${r'${sql}'}")
List<JSONObject> selectBySQL(@Param("sql") String sql);
List<JSONObject> selectBySQL(@Param("sql") String sql, @Param("et")Map param);
/**
* 自定义更新SQL
......@@ -62,7 +63,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
* @return
*/
@Update("${r'${sql}'}")
boolean updateBySQL(@Param("sql") String sql);
boolean updateBySQL(@Param("sql") String sql, @Param("et")Map param);
/**
* 自定义插入SQL
......@@ -70,7 +71,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
* @return
*/
@Insert("${r'${sql}'}")
boolean insertBySQL(@Param("sql") String sql);
boolean insertBySQL(@Param("sql") String sql, @Param("et")Map param);
/**
* 自定义删除SQL
......@@ -78,7 +79,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
* @return
*/
@Delete("${r'${sql}'}")
boolean deleteBySQL(@Param("sql") String sql);
boolean deleteBySQL(@Param("sql") String sql, @Param("et")Map param);
<#comment>1N关系中,在子实体中创建父实体的实例对象</#comment>
<#if de.getMinorPSDERs?? && de.getMinorPSDERs()??>
......
SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/I%DE%Service.java.ftl
浏览文件 @ 778c6584
......@@ -32,8 +32,8 @@ public interface I${item.codeName}Service extends IService<${item.codeName}>{
<@addIDESerivceBody />
List<JSONObject> select(String sql);
boolean execute(String sql);
List<JSONObject> select(String sql, Map param);
boolean execute(String sql, Map param);
}
<#comment>NoSQL存储-MongoDB</#comment>
......
SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/impl/%DE%ServiceImpl.java.ftl
浏览文件 @ 778c6584
......@@ -18,6 +18,7 @@ import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.Map;
import java.util.HashSet;
import java.util.HashMap;
import java.util.Collection;
......@@ -41,12 +42,6 @@ import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?low
import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?lower_case}.service.I${de.getCodeName()}Service;
import ${pub.getPKGCodeName()}.util.helper.CachedBeanCopier;
<#if item.getAllPSDELogics()??>
<#list item.getAllPSDELogics() as logic>
//import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?lower_case}.service.logic.I${de.getCodeName()}${logic.getCodeName()}Logic;
</#list>
</#if>
<#comment>SQL存储-Mybatis</#comment>
<#if de.getStorageMode()==1>
......@@ -519,24 +514,24 @@ public class ${item.getCodeName()}ServiceImpl extends ServiceImpl<${de.getCodeNa
<#comment>输出自定义sql查询</#comment>
@Override
public List<JSONObject> select(String sql){
return this.baseMapper.selectBySQL(sql);
public List<JSONObject> select(String sql, Map param){
return this.baseMapper.selectBySQL(sql,param);
}
@Override
@Transactional
public boolean execute(String sql){
public boolean execute(String sql , Map param){
if (sql == null || sql.isEmpty()) {
return false;
}
if (sql.toLowerCase().trim().startsWith("insert")) {
return this.baseMapper.insertBySQL(sql);
return this.baseMapper.insertBySQL(sql,param);
}
if (sql.toLowerCase().trim().startsWith("update")) {
return this.baseMapper.updateBySQL(sql);
return this.baseMapper.updateBySQL(sql,param);
}
if (sql.toLowerCase().trim().startsWith("delete")) {
return this.baseMapper.deleteBySQL(sql);
return this.baseMapper.deleteBySQL(sql,param);
}
log.warn("暂未支持的SQL语法");
return true;
......
SLN/%PUBPRJ%-core/src/main/resources/rules/%DE%%ITEM%Rule.drl.ftl
浏览文件 @ 778c6584
......@@ -9,6 +9,7 @@ package ${pub.getPKGCodeName()}.${de.getPSSystemModule().codeName?lower_case}.lo
<#comment>插入逻辑参数</#comment>
<#if delogic.getPSDELogicParams?? && delogic.getPSDELogicParams()??>
import java.util.Map;
import java.util.HashMap;
import com.alibaba.fastjson.JSONObject;
<#list delogic.getPSDELogicParams() as logicParam>
<#if logicParam.isDefault()==true>
......@@ -100,12 +101,13 @@ ruleflow-group "${logicName+deLogicNode.getCodeName()?lower_case}"
</#if>
<#elseif deLogicNode.getLogicNodeType()=='RAWSQLCALL'><#comment>直接SQL</#comment>
<#if deLogicNode.getPSDELogicNodeParams()??><#comment>是否包含参数列表</#comment>
String strSql=${getCallSQL(deLogicNode)};
<@getCallSQL2 deLogicNode/>
<#else>
Map param = null;
String strSql="${srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')}";
</#if>
<#if deLogicNode.getDstPSDELogicParam?? && deLogicNode.getDstPSDELogicParam()?? ><#comment>配置返回参数</#comment>
java.util.List<JSONObject> entities=iBzSys${de.codeName?lower_case?cap_first}DefaultService.select(strSql);//SQL调用
java.util.List<JSONObject> entities=iBzSys${de.codeName?lower_case?cap_first}DefaultService.select(strSql,param);//SQL调用
if(entities.size()>0){
<#assign targetLogicParam=deLogicNode.getDstPSDELogicParam()>
JSONObject entity=entities.get(0);
......@@ -166,34 +168,63 @@ ruleflow-group "${logicName+deLogicNode.getCodeName()?lower_case}"
</#list>
</#if>
<#comment>获取String.format拼接的sql</#comment>
<#function getCallSQL deLogicNode>
<#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>
<#comment>sql中的?替换为%s ,如:select * from table where id=? ; select * from table where id = '%s' </#comment>
<#assign sql=sql?replace('%','%%')?replace('?','%s')>
<#assign strSQL="String.format(\""+sql+"\",">
<#--<#comment>获取String.format拼接的sql</#comment>-->
<#--<#function getCallSQL deLogicNode>-->
<#--<#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>-->
<#--<#comment>sql中的?替换为%s ,如:select * from table where id=? ; select * from table where id = '%s' </#comment>-->
<#--<#assign sql=sql?replace('%','%%')?replace('?','%s')>-->
<#--<#assign strSQL="String.format(\""+sql+"\",">-->
<#--<#list deLogicNode.getPSDELogicNodeParams() as nodeParam>-->
<#--<#assign sqlParam="">-->
<#--<#if nodeParam.getSrcValueType()=='SRCDLPARAM'><#comment>源逻辑参数</#comment>-->
<#--<#assign srcPSDELogicParam=nodeParam.getSrcPSDELogicParam()>-->
<#--<#assign srcFieldName=nodeParam.getSrcFieldName()>-->
<#--<#if srcPSDELogicParam.getParamPSDataEntity?? && srcPSDELogicParam.getParamPSDataEntity()??><#comment>源逻辑参数选择了实体</#comment>-->
<#--<#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get(\""+srcFieldName?lower_case+"\")">-->
<#--</#if>-->
<#--<#elseif nodeParam.getSrcValueType()=='SRCVALUE'><#comment>直接值</#comment>-->
<#--<#assign sqlParam=nodeParam.getSrcValue()>-->
<#--<#else>-->
<#--<#assign sqlParam="null"><#comment>暂未支持其余准备参数设置</#comment>-->
<#--</#if>-->
<#--<#if nodeParam.getSrcValueType()=='SRCVALUE'>-->
<#--<#assign strSQL=strSQL+"\""+sqlParam+"\"">-->
<#--<#else>-->
<#--<#assign strSQL=strSQL+sqlParam>-->
<#--</#if>-->
<#--<#if nodeParam_has_next>-->
<#--<#assign strSQL=strSQL+",">-->
<#--</#if>-->
<#--</#list>-->
<#--<#assign strSQL=strSQL+")">-->
<#--<#return strSQL>-->
<#--</#function>-->
<#macro getCallSQL2 deLogicNode >
Map param =new HashMap();
<#comment>准备参数列表</#comment>
<#list deLogicNode.getPSDELogicNodeParams() as nodeParam>
<#assign sqlParam="">
<#if nodeParam.getSrcValueType()=='SRCDLPARAM'><#comment>源逻辑参数</#comment>
<#assign srcPSDELogicParam=nodeParam.getSrcPSDELogicParam()>
<#assign srcFieldName=nodeParam.getSrcFieldName()>
<#if srcPSDELogicParam.getParamPSDataEntity?? && srcPSDELogicParam.getParamPSDataEntity()??><#comment>源逻辑参数选择了实体</#comment>
<#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get(\""+srcFieldName?lower_case+"\")">
<#assign srcRefDEFieldCodeName=srcPSDELogicParam.getParamPSDataEntity().getPSDEField(srcFieldName).codeName>
<#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get"+srcRefDEFieldCodeName?cap_first+"()">
<#else>
//暂不支持非实体的逻辑参数赋值!
</#if>
<#elseif nodeParam.getSrcValueType()=='SRCVALUE'><#comment>直接值</#comment>
<#assign sqlParam=nodeParam.getSrcValue()>
<#assign sqlParam="\""+nodeParam.getSrcValue()+"\"">
<#else>
<#assign sqlParam="null"><#comment>暂未支持其余准备参数设置</#comment>
</#if>
<#if nodeParam.getSrcValueType()=='SRCVALUE'>
<#assign strSQL=strSQL+"\""+sqlParam+"\"">
<#else>
<#assign strSQL=strSQL+sqlParam>
</#if>
<#if nodeParam_has_next>
<#assign strSQL=strSQL+",">
</#if>
param.put("param${nodeParam_index}",${sqlParam});
</#list>
<#comment>将占位符?替换为#{et.param1}</#comment>
<#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>
<#list deLogicNode.getPSDELogicNodeParams() as nodeParam>
<#assign sql=sql?replace("?","#"+"{et.param"+nodeParam_index+"}","f")>
</#list>
<#assign strSQL=strSQL+")">
<#return strSQL>
</#function>
\ No newline at end of file
String strSql="${sql}";
</#macro>
\ No newline at end of file
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册