SQL字符串拼接最佳实践

2023-07-27 java 工具类评论


import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;


public class DbUtils {
    private static final String PLACEHOLDER_PATTERN = "\\$\\{(.+?)\\}";

    public static String replace(String source, Object object, Class<?> clazz) {
        Pattern pattern = Pattern.compile(PLACEHOLDER_PATTERN);
        Matcher matcher = pattern.matcher(source);

        StringBuffer sb = new StringBuffer();
        while (matcher.find()) {
            String placeholder = matcher.group();
            String fieldName = matcher.group(1);
            String value = getFieldValue(object, fieldName, clazz);
            value = escapeSQL(value);
            if (value != null) {
                matcher.appendReplacement(sb, Matcher.quoteReplacement(value));
            } else {
                matcher.appendReplacement(sb, Matcher.quoteReplacement(placeholder));
            }
        }
        matcher.appendTail(sb);

        return sb.toString();
    }

    public static String replace(String source, Map<String,String> map) {
        Pattern pattern = Pattern.compile(PLACEHOLDER_PATTERN);
        Matcher matcher = pattern.matcher(source);
        StringBuffer sb = new StringBuffer();
        while (matcher.find()) {
            String placeholder = matcher.group();
            String key = matcher.group(1);
            String value = map.get(key);
            value = escapeSQL(value);
            if (value != null) {
                matcher.appendReplacement(sb, Matcher.quoteReplacement(value));
            } else {
                matcher.appendReplacement(sb, Matcher.quoteReplacement(placeholder));
            }
        }
        matcher.appendTail(sb);

        return sb.toString();
    }

    public static Map<String, String> createMap(String... args){
        Map<String,String> map = new HashMap<>();
        for(int i = 0; i < args.length; i+= 2){
            String key = args[i];
            String value = args[i + 1];
            map.put(key, value);
        }
        return map;
    }
    
    // 自定义SQL转义避免SQL注入
    private static String escapeSQL(String value) {
        value = value.replace("'", "''");  // 单引号用双单引号替换
        value = value.replace(";", "");  // 去掉分号
        value = value.replace("%", "%%"); // 百分号替换为%%
        value = value.replace("\\", "\\\\"); // 转义\字符
        return value;
    }

    private static String getFieldValue(Object object, String fieldName, Class<?> clazz) {
        try {
            Field field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
            Object value = field.get(object);
            return value != null ? value.toString() : null;
        } catch (Exception e) {
            return null;
        }
    }
}

本文链接： https://junjun.fun/23_07_27_sql_string_joinner_bestway/

版权声明： 本博客所有文章除特别声明外，均采用 CC BY 4.0 CN协议许可协议。转载请注明出处！

赵无敌Developer & Designer

苟利国家生死以,岂因祸福避趋之。