【#4127】sql漏洞写法修复

2022-11-06 17:03:48 +08:00 · 2022-11-06 17:03:48 +08:00 · 958cf01649
parent 01602bd60a
commit 958cf01649
1 changed files with 10 additions and 4 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysUserMapper.xml
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysUserMapper.xml
@ -157,10 +157,16 @@
 		</foreach>
 	</delete>

-    <!-- 更新空字符串为null -->
-    <update id="updateNullByEmptyString">
-        UPDATE sys_user SET ${fieldName} = NULL WHERE ${fieldName} = ''
-    </update>
+	<!-- 更新空字符串为null -->
+	<update id="updateNullByEmptyString">
+		UPDATE sys_user
+		<if test="fieldName == 'email'">
+			SET email = NULL WHERE email = ''
+		</if>
+		<if test="fieldName == 'phone'">
+			SET phone = NULL WHERE phone = ''
+		</if>
+	</update>

 	<!-- 通过多个部门IDS，查询部门下的用户信息 -->
 	<select id="queryByDepIds" resultType="org.jeecg.modules.system.entity.SysUser">