MyBatis学习笔记-参数转义处理

查询参数中如果有传入%的情况，数据会被全量返回。类似的可能还会有一些特殊符号的情况存在。这个时候可能需要在查询数据的时候进行参数转义处理。一般情况可能会考虑选择下面的两种方式处理。

一、基于Filter处理

主要通过实现Filter接口，自定义HttpServletRequestWrapper处理参数数据。

• 注意事项
  • 全局参数的一个统一拦截替换。不是能很好的区分增删改查，进行更细粒度的控制。

二、基于Interceptor处理

主要通过实现Interceptor接口，自定义处理查询操作的参数数据。

• 注意事项
  • 可以支持仅处理查询操作的参数。
  • 参数的类型会比较多，需要根据不同的参数类型进行单独的处理。

@Slf4j
@AllArgsConstructor
@Intercepts({@Signature(type = ParameterHandler.class, method = "setParameters", args = PreparedStatement.class)})
public class ParameterEscapeInterceptor implements Interceptor {private static final Pattern EW_SQL_PATTERN = Pattern.compile("\\w+\\s\\S+\\s#\\{ew.paramNameValuePairs.MPGENVAL\\d+}");private static final Pattern EW_MPG_PATTERN = Pattern.compile("MPGENVAL\\d+");private final ParameterEscapeProperties parameterEscapeProperties;@Overridepublic Object intercept(Invocation invocation) throws Throwable {ParameterHandler parameterHandler = (ParameterHandler) invocation.getTarget();// MetaObject是MyBatis提供的一个反射帮助类，可以优雅访问对象的属性，这里是对parameterHandler对象进行反射处理，MetaObject metaObject = MetaObject.forObject(parameterHandler, SystemMetaObject.DEFAULT_OBJECT_FACTORY,SystemMetaObject.DEFAULT_OBJECT_WRAPPER_FACTORY, new DefaultReflectorFactory());if (!"SELECT".equalsIgnoreCase(String.valueOf(metaObject.getValue("sqlCommandType")))) {return invocation.proceed();}Object parameterObject = parameterHandler.getParameterObject();if (null == parameterObject) {return invocation.proceed();}if (parameterObject instanceof Map) {Map<String, Object> parameterMapObject = (Map<String, Object>) parameterObject;if (parameterMapObject.containsKey(com.baomidou.mybatisplus.core.toolkit.Constants.ENTITY)) {// handle entity objectObject etObject = parameterMapObject.get(com.baomidou.mybatisplus.core.toolkit.Constants.ENTITY);if (null != etObject) {handleObjectFields(etObject);}} if (parameterMapObject.containsKey(com.baomidou.mybatisplus.core.toolkit.Constants.WRAPPER)) {// handle wrapper objecthandleWrapperObjectFields(metaObject);} else {// handle map objecthandleMapObjectFields(parameterMapObject);}} else {handleObjectFields(parameterObject);}return invocation.proceed();}// handle wrapper objectprivate void handleWrapperObjectFields(MetaObject metaObject) {Object paramNameValuePairs = metaObject.getValue("parameterObject.ew.paramNameValuePairs");if (null == paramNameValuePairs) {return;}if (paramNameValuePairs instanceof Map) {Map<String, String> mpgFieldConditionMap = new HashMap<>();Matcher ewSqlMatcher = EW_SQL_PATTERN.matcher(String.valueOf(metaObject.getValue("parameterObject.ew.expression.sqlSegment")));while (ewSqlMatcher.find()) {String[] conditionKV = ewSqlMatcher.group().split("\\s");if (null != conditionKV && conditionKV.length > 1) {Matcher mpgMatcher = EW_MPG_PATTERN.matcher(conditionKV[2]);if (mpgMatcher.find()) {mpgFieldConditionMap.put(mpgMatcher.group(), conditionKV[1]);}}}Map<String, Object> paramNameValuePairsMap = (Map) paramNameValuePairs;for (Map.Entry<String, Object> entry : paramNameValuePairsMap.entrySet()) {String paramName = entry.getKey();paramNameValuePairsMap.put(paramName, handleObjectField(entry.getValue(), mpgFieldConditionMap.get(paramName)));}}}// handle map objectprivate void handleMapObjectFields(Map<String, Object> parameterObject) {for (Map.Entry<String, Object> entry : parameterObject.entrySet()) {try {Object fieldValue = entry.getValue();if (ObjectUtil.isNull(fieldValue)) {continue;}if (fieldValue instanceof Map) {handleMapObjectFields((Map) fieldValue);}parameterObject.put(entry.getKey(), handleObjectField(fieldValue));} catch (Exception e) {log.info(e.getMessage());}}}private void handleObjectFields(Object object) {Field[] declaredFields = object.getClass().getDeclaredFields();for (int i = 0, len = declaredFields.length; i < len; i++) {Field declaredField = declaredFields[i];if (Modifier.isStatic(declaredField.getModifiers())) {continue;}String declaredFieldName = declaredField.getName();if ("serialVersionUID".equalsIgnoreCase(declaredFieldName) || "handler".equalsIgnoreCase(declaredFieldName)) {continue;}declaredField.setAccessible(true);try {Object declaredFieldValue = declaredField.get(object);if (ObjectUtil.isNull(declaredFieldValue)) {continue;}declaredField.set(object, handleObjectField(declaredFieldValue));} catch (Exception e) {log.info(e.getMessage());}declaredField.setAccessible(false);}}private Object handleObjectField(Object objectFieldValue) {return handleObjectField(objectFieldValue, null);}private Object handleObjectField(Object objectFieldValue, String condition) {if (ObjectUtil.isNotEmpty(objectFieldValue) && objectFieldValue instanceof String) {String objectFieldStringValue = String.valueOf(objectFieldValue);String prefix = "";String suffix = "";boolean isLikeCondition = "LIKE".equalsIgnoreCase(condition) && objectFieldStringValue.length() >= 2;if (isLikeCondition) {if (objectFieldStringValue.startsWith("%")) {prefix = "%";objectFieldStringValue = objectFieldStringValue.substring(1);}if (objectFieldStringValue.endsWith("%")) {suffix = "%";objectFieldStringValue = objectFieldStringValue.substring(0, objectFieldStringValue.length() - 1);}}for (Map.Entry<String, String> entry : parameterEscapeProperties.getEscapeMapping().entrySet()) {objectFieldStringValue = objectFieldStringValue.replaceAll(entry.getKey(), entry.getValue());}return isLikeCondition ? prefix + objectFieldStringValue + suffix : objectFieldStringValue;}return objectFieldValue;}}

总的来说，参数转义的处理还是比较简单的，也可以比较灵活。