我对此查询有疑问。
我想在Column4中搜索示例"正在进行"
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
private final Logger log = LoggerFactory.getLogger(getClass());
@Autowired
private LDAPAuthenticationProvider ldapAuthentication;
@Autowired
private AuthRepository authRepository;
public CustomAuthenticationProvider() {
super();
}
@Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
String userName = ((String) authentication.getPrincipal()).toLowerCase();
String password = (String) authentication.getCredentials();
if (userName != null && authentication.getCredentials() != null) {
String clientId = // HERE HOW TO GET THE CLIENT ID
Set<String> userRoles = authRepository.getUserRoleDetails(userName.toLowerCase(), clientId);
Collection<SimpleGrantedAuthority> authorities = fillUserAuthorities(userRoles);
Authentication token = new UsernamePasswordAuthenticationToken(userName, StringUtils.EMPTY, authorities);
return token;
} else {
throw new BadCredentialsException("Authentication Failed!!!");
}
} else {
throw new BadCredentialsException("Username or Password cannot be empty!!!");
}
}
public boolean invokeAuthentication(String username, String password, Boolean isClientValidation) {
try {
Map<String, Object> userDetails = ldapAuthentication.authenticateUser(username, password);
if(Boolean.parseBoolean(userDetails.get("success").toString())) {
return true;
}
} catch (Exception exception) {
log.error("Exception in invokeAuthentication::: " + exception.getMessage());
}
return false;
}
@Override
public boolean supports(Class<? extends Object> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
private Collection<SimpleGrantedAuthority> fillUserAuthorities(Set<String> roles) {
Collection<SimpleGrantedAuthority> authorties = new ArrayList<SimpleGrantedAuthority>();
for(String role : roles) {
authorties.add(new SimpleGrantedAuthority(role));
}
return authorties;
}
}
答案 0 :(得分:1)
首先这将导致sql injection,这是一种不好的编码方式,
第二个查询有问题: - 因为第2列没有and条件且第2列和第3列and条件之间没有空格
"SELECT Column4 FROM Table WHERE Column1 ='" + textBox1.Text + "',
Column2 ='" + textBox2.Text + "'AND Column3 ='" + textBox3.Text + "'"
查询应该是
"SELECT Column4 FROM Table WHERE Column1 ='" + textBox1.Text +
"' and Column2 ='" + textBox2.Text +
"' AND Column3 ='" + textBox3.Text + "'"
并使用带有sql-parameter的sqlcommand并避免使用sql injection
答案 1 :(得分:0)
如果你坚持用这种方式编写SQL查询*,那么至少要使用字符串格式化:
//older style of string format
var query1 = string.Format("SELECT Column4 FROM Table WHERE Column1 = '{0}' AND Column2 = '{1}' AND Column3 = '{2}'"
, textBox1.Text
, textBox2.Text
, textBox3.Text);
//newer style of string format
var query2 = $"SELECT Column4 FROM Table WHERE Column1 = '{textBox1.Text}' AND Column2 = '{textBox2.Text}' AND Column3 = '{textBox3.Text}'";
字符串连接方式会导致代码难以阅读和维护,并导致容易出错,例如您AND遗漏的WHERE。
*正如其他人已经提到的,直接值注入查询是BadThing®。然而,如果你只是把一个快速而讨厌的演示放在一起,你是唯一一个使用它的人,那么没关系。只是不要在生产代码中这样做,而不是永远。