Spring boot JdbcTemplate sql注入測試
阿新 • • 發佈:2021-01-19
1.首先建立專案
通過JdbcTemplate來訪問資料庫,Spring boot提供瞭如下的starter來支撐
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency>
再引入Junit測試Starter:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency>
建立如下結構
user實體
public class User { private String name; public String getName() { return name; } public void setName(String name) { this.name = name; } }
service
public interface UserService { public List<User> findUser(String name); }
serviceimpl
@Service public class UserServiceImpl implements UserService { @Autowired private UserDao userDao; @Override public List<User> findUser(String name) { return userDao.findUser(name); } }
dao
public interface UserDao { public List<User> findUser(String name); }
daoimpl
@Repository
public class UserDaoImpl implements UserDao {
@Autowired
private NamedParameterJdbcTemplate jdbcTemplate;
@Override
public List<User> findUser(String name) {
List<User> myUserList= new ArrayList<>();
String sql="select * from tbuser where username ='"+name+"'";
Map<String, Object> param = new HashMap<>();
List<Map<String, Object>> mapList=new ArrayList<>();
mapList=jdbcTemplate.queryForList(sql,param);
for(int i=0;i<mapList.size();i++){
Map<String,Object> testmap= mapList.get(i);
User myuser=new User();
myuser.setName((String) testmap.get("username"));
myUserList.add(myuser);
}
return myUserList;
}
}
可以看到的是明顯的在通過字串拼接sql語句
controller
@RestController public class UserController { @Autowired private UserService userService; @RequestMapping("/user") public List<User> findUser(@RequestParam String name){ return userService.findUser(name); } }
執行:
正確的做法應該是預編譯引數,參考程式碼
@Override public List<User> findUserSec(String name) { List<User> myUserList= new ArrayList<>(); String sql="select * from tbuser where username =:name"; Map<String, Object> param = new HashMap<>(); param.put("name",name); List<Map<String, Object>> mapList=new ArrayList<>(); mapList=jdbcTemplate.queryForList(sql,param); for(int i=0;i<mapList.size();i++){ Map<String,Object> testmap= mapList.get(i); User myuser=new User(); myuser.setName((String) testmap.get("username")); myUserList.add(myuser); } return myUserList; } }
執行後:
專案程式碼:
https://github.com/testwc/jdbcsql