时间:2021-07-01 10:21:17 帮助过:22人阅读
StringBuffer sql = new StringBuffer("select * from users where 1=1 ");
String keyWord="aaa‘ or ‘1=1";
if(!keyWord.isEmpty()){
sql.append(" and username like ‘%" + StringEscapeUtils.escapeSql(keyWord) + "‘");
}
System.out.println(sql);
输出
select * from users where 1=1 and username like ‘%aaa‘‘ or ‘‘1=1‘
StringEscapeUtils.escapeSql会将1个‘转成2个‘,附源码:
不进行转义的,会查出全部用户
select * from users where 1=1 and username like ‘%aaa‘ or ‘1=1‘
StringEscapeUtils的常用使用,防止SQL注入及XSS注入
标签:stringbu copy sql where ons bar use 用户 com