springboot mybaits-plus Sql 注入器

作者: 云大牛1024 | 来源:发表于2019-05-28 09:13 被阅读0次

springboot mybaits-plus Sql 注入器
09-ADO.NET进阶
SQL 注入
WEB安全之SQL注入
web常见漏洞的成因和修复
笔记：web漏洞
常用sql注入语句
WEB安全之SQL注入
谈谈sql注入之原理和防护（－）
9.4 SQL注入

1 写一个类继续 AbstractLogicMethod

public class LogicDeleteByWrapper extends AbstractLogicMethod {
 
    @Override
    public MappedStatement injectMappedStatement(Class<?> mapperClass, Class<?> modelClass, TableInfo tableInfo) {
        String sql;
        MySqlMethod sqlMethod = MySqlMethod.LOGIC_DELETE_BY_WRAPPER;
        sql = String.format(sqlMethod.getSql(), tableInfo.getTableName(), sqlLogicSet(),
                sqlWhereEntityWrapper(tableInfo));
        SqlSource sqlSource = languageDriver.createSqlSource(configuration, sql, modelClass);
        return addUpdateMappedStatement(mapperClass, modelClass, sqlMethod.getMethod(), sqlSource);
    }
 
    public String sqlLogicSet(){
 
        String sql ="<trim prefix=\"SET\" suffixOverrides=\",\">\n" +
                "<if test=\"et.updateBy != null\">update_by=#{et.updateBy},</if>\n" +
                "<if test=\"et.updateTime != null\">update_time=#{et.updateTime},</if>\n" +
                "is_deleted = 1\n" +
                "</trim> ";
        return sql;
    }
}

写一个类继承baseMapper

     /**
     * 逻辑删除
     * @param entity
     * @param updateWrapper
     * @return
     */
    int logicDeleteByWrapper(@Param(Constants.ENTITY) T entity, @Param(Constants.WRAPPER) Wrapper<T> updateWrapper);

写一个枚举类

public enum  MySqlMethod {
 
 
    /**
     * 根据参数逻辑删除
     */
    LOGIC_DELETE_BY_WRAPPER("logicDeleteByWrapper", "根据ID 修改数据", "<script>\nUPDATE %s %s %s\n</script>"),
 
    /**
     * 根据id逻辑删除
     */
    LOGIC_DELETE_BY_ID("logicDeleteById", "根据ID 修改数据", "<script>\nUPDATE %s %s WHERE %s=#{%s}\n</script>");
 
    private final String method;
    private final String desc;
    private final String sql;
 
    MySqlMethod(String method, String desc, String sql) {
        this.method = method;
        this.desc = desc;
        this.sql = sql;
    }
 
    public String getMethod() {
        return method;
    }
 
    public String getDesc() {
        return desc;
    }
 
    public String getSql() {
        return sql;
    }
}

最后一步就是注入到bean

public class MyLogicSqlInjector extends AbstractSqlInjector {
 
 
    @Override
    public List<AbstractMethod> getMethodList() {
        return Stream.of(         
                new LogicDeleteByWrapper()
        ).collect(Collectors.toList());
    }
 
 
    @Override
    public void injectSqlRunner(Configuration configuration) {
        new SqlRunnerInjector().inject(configuration);
    }
}

@Configuration
@MapperScan("com.xxx.xxx.*.dao")
public class MybatisPlusConfig {
 
    @Bean
    public PaginationInterceptor paginationInterceptor() {
        return new PaginationInterceptor();
    }
 
 
    @Bean
    public ISqlInjector sqlInjector() {
        return new MyLogicSqlInjector();
    }
 
    /**
     * SQL执行效率插件
     */
    @Bean
    @Profile({"dev","test"})// 设置 dev test 环境开启
    public PerformanceInterceptor performanceInterceptor() {
        return new PerformanceInterceptor();
    }
}

原博客地址 http://www.51csdn.cn/article/140.html