标题查询输入框%没有进行转义,可以搜到所有数据,请问应该怎么改
<select id="findList" resultType="Doc" >
SELECT
<include refid="docColumns"/>
FROM cc_doc a
<include refid="docJoins"/>
<where>
a.del_flag = #{DEL_FLAG_NORMAL} AND (a.state='3' OR b.audit='0' OR a.create_by= #{createBy.id}) AND a.state!='7'
${dataScope}
<if test="title != null and title != ''">
AND a.title LIKE CONCAT('%', #{title}, '%')
</if>
<if test="author != null and author != ''">
AND a.author = #{author}
</if>
<if test="type != null and type != ''">
AND a.type = #{type}
</if>
<if test="flag != null and flag != ''">
AND a.create_by= #{createBy.id}
</if>
<if test="docType != null and docType.id != null and docType.id != ''">
AND (b.id = #{docType.id} OR b.parent_ids LIKE
<if test="dbName == 'oracle'">'%,'||#{docType.id}||',%')</if>
<if test="dbName == 'mysql'">CONCAT('%,', #{docType.id}, ',%'))</if>
<if test="dbName == 'mssql'">'%'+#{docType.id}+'%')</if>
</if>
</where>
<choose>
<when test="page !=null and page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY a.update_date DESC
</otherwise>
</choose>
</select>
<select id="findAllList" resultType="Doc" >
SELECT
<include refid="docColumns"/>
FROM cc_doc a
<include refid="docJoins"/>
<where>
a.del_flag = #{DEL_FLAG_NORMAL}
${dataScope}
</where>
<choose>
<when test="page !=null and page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY a.create_date ASC
</otherwise>
</choose>
</select>
回答了怎么才能得到赏金
在入参的位置 通过这个方法转义一下
public static String escapeSpecialChar(String s){
if(StringUtils.isBlank(s)){
return null;
}else{
return s.replaceAll("%", "\\\\%").replaceAll("_", "\\\\_");
}
}
java操作判断参数不为空 添加
param.replaceAll("%", "/%")替换一下进行转义 然后再sql最后加上 escape '/'
WHERE `name` LIKE concat('%', '/%', '%') ESCAPE '/' ;