潘钊 / bsth_control · Commits

Commit 179055a5540ed3b8fd95c4b16b796b29af93581a

Authored by 娄高锋
1 parent da8632ab
build: skipped

改掉sql拼接(sql注入漏洞)

Inline Side-by-side
Showing 1 changed file with 229 additions and 247 deletions
src/main/java/com/bsth/service/report/impl/ReportServiceImpl.java
  View file @179055a
... ... @@ -398,19 +398,22 @@ public class ReportServiceImpl implements ReportService{
398 398 Map<String, Object> map=new HashMap<String,Object>();
399 399 // TODO Auto-generated method stub
400 400  
  401 + List<String> objList = new ArrayList<String>();
  402 + objList.add(ttinfo);
  403 +
401 404 //查询配车
402 405 String sqlPc=" select count(*) from (select lp, count(*) from"
403   - + " bsth_c_s_ttinfo_detail where ttinfo ='"+ttinfo+"'"
  406 + + " bsth_c_s_ttinfo_detail where ttinfo = ?"
404 407 + " group by lp ) a";
405 408 //配车
406   - int pcs=jdbcTemplate.queryForObject(sqlPc, Integer.class);
  409 + int pcs=jdbcTemplate.queryForObject(sqlPc, objList.toArray(), Integer.class);
407 410  
408 411  
409 412 String sqlPlan=" SELECT jhlc,bc_type,fcsj FROM bsth_c_s_ttinfo_detail "
410   - +" where ttinfo ='"+ttinfo+"' ";
  413 + +" where ttinfo = ? ";
411 414  
412 415 //查询班次
413   - List<Map<String, Object>> listPlan= jdbcTemplate.query(sqlPlan,
  416 + List<Map<String, Object>> listPlan= jdbcTemplate.query(sqlPlan, objList.toArray(),
414 417 new RowMapper<Map<String, Object>>(){
415 418 @Override
416 419 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -482,25 +485,33 @@ public class ReportServiceImpl implements ReportService{
482 485 String minfcsj="02:00";
483 486 List<Line> lineList=lineRepository.findLineByCode(line);
484 487 if(lineList.size()>0){
485   - String sql = "select count(*) from bsth_c_line_config where line = '"+lineList.get(0).getId()+"'";
486   - if(jdbcTemplate.queryForObject(sql, Integer.class) > 0){
  488 + List<String> objList = new ArrayList<String>();
  489 + objList.add(lineList.get(0).getId() + "");
  490 + String sql = "select count(*) from bsth_c_line_config where line = ? ";
  491 + if(jdbcTemplate.queryForObject(sql, objList.toArray(), Integer.class) > 0){
487 492 String sqlMinYysj="select start_opt from bsth_c_line_config where "
488 493 + " id = ("
489   - + "select max(id) from bsth_c_line_config where line ='"+lineList.get(0).getId() +"'"
  494 + + "select max(id) from bsth_c_line_config where line = ? "
490 495 + ")";
491   - minfcsj=jdbcTemplate.queryForObject(sqlMinYysj, String.class);
  496 + minfcsj=jdbcTemplate.queryForObject(sqlMinYysj, objList.toArray(), String.class);
492 497 }
493 498 }
494 499 String[] minSjs = minfcsj.split(":");
495 500 int minSj=Integer.parseInt(minSjs[0])*60+Integer.parseInt(minSjs[1]);
  501 +
  502 + List<String> objList = new ArrayList<String>();
  503 + objList.add(ttinfo);
  504 + objList.add(minfcsj);
  505 + objList.add(ttinfo);
  506 + objList.add(minfcsj);
496 507 //查询时间里程
497 508 String sqlPc=" (SELECT jhlc,fcsj,bc_type,bcsj,lp,2 as xh, ists FROM bsth_c_s_ttinfo_detail "
498   - + " where ttinfo ='"+ttinfo+"' and fcsj <='"+minfcsj+"' ) "
  509 + + " where ttinfo = ? and fcsj <= ? ) "
499 510 + " union "
500 511 + " (SELECT jhlc,fcsj,bc_type,bcsj,lp,1 as xh, ists FROM bsth_c_s_ttinfo_detail "
501   - + " where ttinfo ='"+ttinfo+"' and fcsj > '"+minfcsj+"' ) order by lp,xh,fcsj";
  512 + + " where ttinfo = ? and fcsj > ? ) order by lp,xh,fcsj";
502 513 Map<String, Object> map=new HashMap<String,Object>();
503   - List<Map<String, Object>> list= jdbcTemplate.query(sqlPc,
  514 + List<Map<String, Object>> list= jdbcTemplate.query(sqlPc, objList.toArray(),
504 515 new RowMapper<Map<String, Object>>(){
505 516 @Override
506 517 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -620,11 +631,13 @@ public class ReportServiceImpl implements ReportService{
620 631 List<Map<String, Object>> list=new ArrayList<Map<String,Object>>();
621 632 List<Map<String, Object>> list_s=new ArrayList<Map<String,Object>>();
622 633  
  634 + List<String> objList = new ArrayList<String>();
  635 + objList.add(ttinfo);
623 636 String sqlCl="SELECT lp cl_zbh,qdz_name,bc_type,fcsj,bcsj FROM"
624   - + " bsth_c_s_ttinfo_detail WHERE ttinfo = '"+ttinfo+"' "
  637 + + " bsth_c_s_ttinfo_detail WHERE ttinfo = ? "
625 638 + " AND (bc_type = 'normal' or bc_type='region') order by qdz_name";
626 639  
627   - List<Map<String, Object>> listj= jdbcTemplate.query(sqlCl,
  640 + List<Map<String, Object>> listj= jdbcTemplate.query(sqlCl, objList.toArray(),
628 641 new RowMapper<Map<String, Object>>(){
629 642 @Override
630 643 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -638,10 +651,10 @@ public class ReportServiceImpl implements ReportService{
638 651 }
639 652 });
640 653  
641   - String sqlZd="select qdz_name,bc_type from bsth_c_s_ttinfo_detail WHERE ttinfo = '"+ttinfo+"' "
  654 + String sqlZd="select qdz_name,bc_type from bsth_c_s_ttinfo_detail WHERE ttinfo = ? "
642 655 + " AND (bc_type = 'normal' or bc_type='region') group by qdz_name ,bc_type "
643 656 + " order by qdz_name";
644   - List<Map<String, Object>> lists= jdbcTemplate.query(sqlZd,
  657 + List<Map<String, Object>> lists= jdbcTemplate.query(sqlZd, objList.toArray(),
645 658 new RowMapper<Map<String, Object>>(){
646 659 @Override
647 660 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -803,27 +816,34 @@ public class ReportServiceImpl implements ReportService{
803 816 String minfcsj="02:00";
804 817 List<Line> lineList=lineRepository.findLineByCode(line);
805 818 if(lineList.size()>0){
806   - String sql = "select count(*) from bsth_c_line_config where line = '"+lineList.get(0).getId()+"'";
807   - if(jdbcTemplate.queryForObject(sql, Integer.class) > 0){
  819 + List<String> objList = new ArrayList<String>();
  820 + objList.add(lineList.get(0).getId() + "");
  821 + String sql = "select count(*) from bsth_c_line_config where line = ? ";
  822 + if(jdbcTemplate.queryForObject(sql, objList.toArray(), Integer.class) > 0){
808 823 String sqlMinYysj="select start_opt from bsth_c_line_config where "
809 824 + " id = ("
810   - + "select max(id) from bsth_c_line_config where line ='"+lineList.get(0).getId() +"'"
  825 + + "select max(id) from bsth_c_line_config where line = ?"
811 826 + ")";
812   - minfcsj=jdbcTemplate.queryForObject(sqlMinYysj, String.class);
  827 + minfcsj=jdbcTemplate.queryForObject(sqlMinYysj, objList.toArray(), String.class);
813 828 }
814 829 }
815 830  
  831 + List<String> objList = new ArrayList<String>();
  832 + objList.add(ttinfo);
  833 + objList.add(minfcsj);
  834 + objList.add(ttinfo);
  835 + objList.add(minfcsj);
816 836 //查询全程
817 837 String sqlqc="select t.* from ( "
818 838 + " (SELECT bc_type, fcsj,qdz,2 as xh,xl_dir,qdz_name FROM bsth_c_s_ttinfo_detail "
819   - + " where ttinfo ='"+ttinfo+"' and (bc_type='normal' || bc_type='region') "
820   - + " and fcsj <='"+minfcsj+"') "
  839 + + " where ttinfo = ? and (bc_type='normal' || bc_type='region') "
  840 + + " and fcsj <= ?) "
821 841 + " union "
822 842 + " (SELECT bc_type, fcsj,qdz,1 as xh,xl_dir,qdz_name FROM bsth_c_s_ttinfo_detail "
823   - + " where ttinfo ='"+ttinfo+"' and (bc_type='normal' || bc_type='region') "
824   - + " and fcsj > '"+minfcsj+"') "
  843 + + " where ttinfo = ? and (bc_type='normal' || bc_type='region') "
  844 + + " and fcsj > ?) "
825 845 + "order by xl_dir,xh,fcsj ) t ";
826   - List<Map<String, String>> qclist= jdbcTemplate.query(sqlqc,
  846 + List<Map<String, String>> qclist= jdbcTemplate.query(sqlqc, objList.toArray(),
827 847 new RowMapper<Map<String, String>>(){
828 848 @Override
829 849 public Map<String, String> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -895,30 +915,38 @@ public class ReportServiceImpl implements ReportService{
895 915 String minfcsj="02:00";
896 916 List<Line> lineList=lineRepository.findLineByCode(line);
897 917 if(lineList.size()>0){
898   - String sql = "select count(*) from bsth_c_line_config where line = '"+lineList.get(0).getId()+"'";
899   - if(jdbcTemplate.queryForObject(sql, Integer.class) > 0){
  918 + List<String> objList = new ArrayList<String>();
  919 + objList.add(lineList.get(0).getId() + "");
  920 + String sql = "select count(*) from bsth_c_line_config where line = ? ";
  921 + if(jdbcTemplate.queryForObject(sql, objList.toArray(), Integer.class) > 0){
900 922 String sqlMinYysj="select start_opt from bsth_c_line_config where "
901 923 + " id = ("
902   - + "select max(id) from bsth_c_line_config where line ='"+lineList.get(0).getId() +"'"
  924 + + "select max(id) from bsth_c_line_config where line = ?"
903 925 + ")";
904   - minfcsj= jdbcTemplate.queryForObject(sqlMinYysj, String.class);
  926 + minfcsj= jdbcTemplate.queryForObject(sqlMinYysj, objList.toArray(), String.class);
905 927 }
906 928 }
907 929 String[] minSjs = minfcsj.split(":");
908 930 int minSj=Integer.parseInt(minSjs[0])*60+Integer.parseInt(minSjs[1]);
  931 +
  932 + List<String> objList = new ArrayList<String>();
  933 + objList.add(ttinfo);
  934 + objList.add(minfcsj);
  935 + objList.add(ttinfo);
  936 + objList.add(minfcsj);
909 937 //查询时间里程
910 938 String sqlPc=" (SELECT jhlc,fcsj,bcsj,bc_type,lp,xl_dir,ists,2 as xh FROM "
911   - + " bsth_c_s_ttinfo_detail where ttinfo ='"+ttinfo+"' and "
912   - + " fcsj <='"+minfcsj+"' and bc_type!='ldks'"
  939 + + " bsth_c_s_ttinfo_detail where ttinfo = ? and "
  940 + + " fcsj <= ? and bc_type!='ldks'"
913 941 + " and bc_type !='region' and bc_type !='venting' and bc_type !='major') "
914 942 + " union "
915 943 + " (SELECT jhlc,fcsj,bcsj,bc_type,lp,xl_dir,ists,1 as xh FROM "
916   - + " bsth_c_s_ttinfo_detail where ttinfo ='"+ttinfo+"' and "
917   - + " fcsj > '"+minfcsj+"' and bc_type!='ldks' "
  944 + + " bsth_c_s_ttinfo_detail where ttinfo = ? and "
  945 + + " fcsj > ? and bc_type!='ldks' "
918 946 + " and bc_type !='region' and bc_type !='venting' and bc_type !='major') "
919 947 + " order by xh, lp,fcsj";
920 948 Map<String, Object> map=new HashMap<String,Object>();
921   - List<Map<String, Object>> list= jdbcTemplate.query(sqlPc,
  949 + List<Map<String, Object>> list= jdbcTemplate.query(sqlPc, objList.toArray(),
922 950 new RowMapper<Map<String, Object>>(){
923 951 @Override
924 952 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1629,15 +1657,17 @@ public class ReportServiceImpl implements ReportService{
1629 1657 List<Map<String, Object>> list = new ArrayList<Map<String, Object>>();
1630 1658 String line = map.get("line").toString();
1631 1659 try {
1632   - String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt "
1633   - + "left join bsth_c_line cl on cl.id = tt.xl "
  1660 + List<String> objList = new ArrayList<String>();
  1661 + String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt"
  1662 + + " left join bsth_c_line cl on cl.id = tt.xl"
1634 1663 + " where tt.is_cancel = 0 and tt.is_enable_dis_template = 1";
1635 1664 if(line.length() != 0){
1636   - sql += " and cl.line_code = '"+line+"'";
  1665 + sql += " and cl.line_code = ?";
  1666 + objList.add(line);
1637 1667 }
1638 1668 sql += " order by tt.create_date desc";
1639 1669  
1640   - list = jdbcTemplate.query(sql,
  1670 + list = jdbcTemplate.query(sql, objList.toArray(),
1641 1671 new RowMapper<Map<String, Object>>(){
1642 1672 @Override
1643 1673 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1654,81 +1684,6 @@ public class ReportServiceImpl implements ReportService{
1654 1684 return list;
1655 1685 }
1656 1686  
1657   - private List<ScheduleRealInfo> getListSinfo(Map<String, Object> map){
1658   - List<ScheduleRealInfo> list =new ArrayList<ScheduleRealInfo>();
1659   -
1660   - String sql="select DISTINCT a.* from (select * from bsth_c_s_sp_info_real where 1=1 ";
1661   - if(map.get("date")!=null){
1662   - sql += " and schedule_date_str='"+map.get("date").toString()+"'";
1663   - }
1664   - if(map.get("line")!=null){
1665   - if(map.get("line").toString()!=""){
1666   - sql += " and xl_bm='"+map.get("line").toString()+"'";
1667   - }
1668   -
1669   - }
1670   - if(map.get("bcType")!=null){
1671   - if(map.get("bcType").toString().equals("inout")){
1672   - sql += " and bc_type in ('in','out')";
1673   - }
1674   -
1675   - if(map.get("bcType").toString().equals("normal")){
1676   - sql += " and bc_type not in ('in','out')";
1677   - }
1678   - }
1679   -
1680   - sql += " )a left join bsth_c_s_child_task b on a.id=b.schedule";
1681   - list= jdbcTemplate.query(sql,
1682   - new RowMapper<ScheduleRealInfo>(){
1683   - @Override
1684   - public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
1685   - ScheduleRealInfo m=new ScheduleRealInfo();
1686   - m.setId(rs.getLong("id"));
1687   -// m.setBcs();
1688   -// m.setBcsj();
1689   - m.setClZbh(rs.getString("cl_zbh"));
1690   - m.setFcsj(rs.getString("fcsj"));
1691   - m.setFcsjActual(rs.getString("fcsj_actual"));
1692   - m.setjGh(rs.getString("j_gh"));
1693   - m.setjName(rs.getString("j_name"));
1694   - m.setJhlc(rs.getDouble("jhlc"));
1695   - m.setLpName(rs.getString("lp_name"));
1696   - m.setQdzCode(rs.getString("qdz_code"));
1697   - m.setQdzName(rs.getString("qdz_name"));
1698   - m.setRealExecDate(rs.getString("real_exec_date"));
1699   - m.setRealMileage(rs.getDouble("real_mileage"));
1700   - m.setRemarks(rs.getString("remarks"));
1701   - m.setsGh(rs.getString("s_gh"));
1702   - m.setsName(rs.getString("s_name"));
1703   - m.setScheduleDate(rs.getDate("schedule_date"));
1704   - m.setScheduleDateStr(rs.getString("schedule_date_str"));
1705   - m.setSflj(rs.getBoolean("sflj"));
1706   - m.setSpId(rs.getLong("sp_id"));
1707   - m.setStatus(rs.getInt("status"));
1708   - m.setXlBm(rs.getString("xl_bm"));
1709   - m.setXlDir(rs.getString("xl_dir"));
1710   - m.setXlName(rs.getString("xl_name"));
1711   - m.setZdsj(rs.getString("zdsj"));
1712   - m.setZdsjActual(rs.getString("zdsj_actual"));
1713   - m.setZdzCode(rs.getString("zdz_code"));
1714   - m.setZdzName(rs.getString("zdz_name"));
1715   - m.setCcno(rs.getInt("ccno"));
1716   - m.setDfAuto(rs.getBoolean("df_auto"));
1717   - m.setFgsBm(rs.getString("fgs_bm"));
1718   - m.setFgsName(rs.getString("fgs_name"));
1719   - m.setGsBm(rs.getString("gs_bm"));
1720   - m.setGsName(rs.getString("gs_name"));
1721   - m.setOnline(rs.getBoolean("online"));
1722   - m.setAdjustExps(rs.getString("adjust_exps"));
1723   - m.setReissue(rs.getBoolean("reissue"));
1724   - m.setJhlcOrig(rs.getDouble("jhlc_orig"));
1725   - return m;
1726   - }
1727   - });
1728   -
1729   - return list;
1730   - }
1731   -
1732 1687 @Override
1733 1688 public List<Map<String, Object>> jobFwqk(Map<String, Object> map) {
1734 1689 // TODO Auto-generated method stub
... ... @@ -2202,22 +2157,6 @@ public class ReportServiceImpl implements ReportService{
2202 2157 Date dates2=cal.getTime();
2203 2158 date2=dates2.getTime();
2204 2159 String d2=simpleDateFormat.format(dates2);
2205   - /*String sql="select *,UNIX_TIMESTAMP(times) as ts from bsth_c_arrival_info where times >= '"+d1 +"'and "
2206   - + " times <='"+d2+"' and line_id = '"+line+"' and up_down = '"+zd+"'"
2207   - + " order by device_id,times";
2208   -
2209   - list =jdbcTemplate.query(sql, new RowMapper<ArrivalInfo>() {
2210   - @Override
2211   - public ArrivalInfo mapRow(ResultSet arg0, int arg1) throws SQLException {
2212   - ArrivalInfo ai=new ArrivalInfo();
2213   - ai.setInOut(arg0.getInt("in_out"));
2214   - ai.setDeviceId(arg0.getString("device_id"));
2215   - ai.setStopNo(arg0.getString("stop_no"));
2216   - ai.setDates(arg0.getDate("times"));
2217   - ai.setTs(arg0.getLong("ts")*1000);
2218   - return ai;
2219   - }
2220   - });*/
2221 2160  
2222 2161 Connection conn = null;
2223 2162 PreparedStatement ps = null;
... ... @@ -2371,11 +2310,13 @@ public class ReportServiceImpl implements ReportService{
2371 2310 String minfcsj="02:00";
2372 2311 List<Line> lineList=lineRepository.findLineByCode(line);
2373 2312 if(lineList.size()>0){
  2313 + List<String> objList = new ArrayList<String>();
  2314 + objList.add(lineList.get(0).getId() + "");
2374 2315 String sqlMinYysj="select start_opt from bsth_c_line_config where "
2375 2316 + " id = ("
2376   - + "select max(id) from bsth_c_line_config where line ='"+lineList.get(0).getId() +"'"
  2317 + + "select max(id) from bsth_c_line_config where line = ?"
2377 2318 + ")";
2378   - minfcsj= jdbcTemplate.queryForObject(sqlMinYysj, String.class);
  2319 + minfcsj= jdbcTemplate.queryForObject(sqlMinYysj, objList.toArray(), String.class);
2379 2320 }
2380 2321 List<ArrivalInfo> arrInfoList=this.load4(line, date, zd,minfcsj);
2381 2322  
... ... @@ -2940,31 +2881,28 @@ public class ReportServiceImpl implements ReportService{
2940 2881 }
2941 2882 //所有班次信息
2942 2883 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
2943   - line =line.trim();
2944   - List<Line> lineList=lineRepository.findLineBygsBm(gsdm, fgsdm, "");
2945   -// if(line.equals("")){
2946   -// //查询所有线路
2947   -// list = scheduleRealInfoRepository.scheduleByDateAndLineTj(line, date,date2,gsdm,fgsdm);
2948   -// }else{
2949   - //查询单条线路
2950   -// list = scheduleRealInfoRepository.scheduleByDateAndLineTj2(line, date,date2);
2951   -// }
2952   -
  2884 + line = line.trim();
2953 2885  
  2886 + List<String> objList = new ArrayList<String>();
  2887 + objList.add(date);
  2888 + objList.add(date2);
2954 2889 String sql="select r.xl_bm"
2955 2890 + " from bsth_c_s_sp_info_real r where"
2956   - + " r.schedule_date_str >= '"+date+"' and r.schedule_date_str >= '"+date2+"'";
  2891 + + " r.schedule_date_str >= ? and r.schedule_date_str >= ?";
2957 2892  
2958 2893  
2959 2894 if(line.equals("")){
2960   - sql +="and r.gs_bm='"+gsdm+"' "
2961   - + " and r.fgs_bm='"+fgsdm+"'";
  2895 + sql +=" and r.gs_bm = ?"
  2896 + + " and r.fgs_bm = ?";
  2897 + objList.add(gsdm);
  2898 + objList.add(fgsdm);
2962 2899 }else{
2963   - sql += " and r.xl_bm = '"+line+"'";
  2900 + sql += " and r.xl_bm = ?";
  2901 + objList.add(line);
2964 2902 }
2965   - sql += " group by r.xl_bm";
  2903 + sql += " group by r.xl_bm";
2966 2904  
2967   - List<String> listLine=jdbcTemplate.query(sql, new RowMapper<String>() {
  2905 + List<String> listLine=jdbcTemplate.query(sql, objList.toArray(), new RowMapper<String>() {
2968 2906 @Override
2969 2907 public String mapRow(ResultSet arg0, int arg1) throws SQLException {
2970 2908 String ve = arg0.getString("xl_bm");
... ... @@ -3167,36 +3105,56 @@ public class ReportServiceImpl implements ReportService{
3167 3105 //查询单条线路
3168 3106 list = scheduleRealInfoRepository.scheduleByDateAndLineTj2(line, date,date2);
3169 3107 }
3170   - String ylbSql=" select * from bsth_c_ylb where rq BETWEEN '"+date+"' and '"+date2+"'";
  3108 +
  3109 + List<String> objList = new ArrayList<String>();
  3110 + objList.add(date);
  3111 + objList.add(date2);
  3112 + String ylbSql=" select * from bsth_c_ylb where rq BETWEEN ? and ?";
3171 3113 if(line.equals("")){
3172   - ylbSql +="and ssgsdm='"+gsdm+"' "
3173   - + " and fgsdm='"+fgsdm+"'";
  3114 + ylbSql +=" and ssgsdm = ?"
  3115 + + " and fgsdm = ?";
  3116 + objList.add(gsdm);
  3117 + objList.add(fgsdm);
3174 3118 }else{
3175   - ylbSql += " and xlbm = '"+line+"'";
  3119 + ylbSql += " and xlbm = ?";
  3120 + objList.add(line);
3176 3121 }
3177   - List<Ylb> ylbList=ylbList(ylbSql);
3178   - String dlbSql=" select * from bsth_c_dlb where rq BETWEEN '"+date+"' and '"+date2+"'";
  3122 + List<Ylb> ylbList = ylbList(ylbSql, objList);
  3123 +
  3124 + List<String> objList2 = new ArrayList<String>();
  3125 + objList2.add(date);
  3126 + objList2.add(date2);
  3127 + String dlbSql=" select * from bsth_c_dlb where rq BETWEEN ? and ?";
3179 3128 if(line.equals("")){
3180   - dlbSql +="and ssgsdm='"+gsdm+"' "
3181   - + " and fgsdm='"+fgsdm+"'";
  3129 + dlbSql +=" and ssgsdm = ?"
  3130 + + " and fgsdm = ?";
  3131 + objList2.add(gsdm);
  3132 + objList2.add(fgsdm);
3182 3133 }else{
3183   - dlbSql += " and xlbm = '"+line+"'";
  3134 + dlbSql += " and xlbm = ?";
  3135 + objList2.add(line);
3184 3136 }
3185   - List<Dlb> dlbList=dlbList(dlbSql);
  3137 + List<Dlb> dlbList=dlbList(dlbSql, objList2);
3186 3138 List<Map<String, Object>> listGroupBy =null;
3187 3139 String sql="";
3188 3140 if(zt.equals("zbh")){
  3141 + List<String> objList3 = new ArrayList<String>();
  3142 + objList3.add(date);
  3143 + objList3.add(date2);
3189 3144 sql+="select r.xl_bm,r.cl_zbh"
3190 3145 + " from bsth_c_s_sp_info_real r where"
3191   - + " r.schedule_date_str BETWEEN '"+date+"' and '"+date2+"'";
  3146 + + " r.schedule_date_str BETWEEN ? and ?";
3192 3147 if(line.equals("")){
3193   - sql +="and r.gs_bm='"+gsdm+"' "
3194   - + " and r.fgs_bm='"+fgsdm+"'";
  3148 + sql +=" and r.gs_bm = ?"
  3149 + + " and r.fgs_bm = ?";
  3150 + objList3.add(gsdm);
  3151 + objList3.add(fgsdm);
3195 3152 }else{
3196   - sql += " and r.xl_bm = '"+line+"'";
  3153 + sql += " and r.xl_bm = ?";
  3154 + objList3.add(line);
3197 3155 }
3198   - sql += " group by r.xl_bm,r.cl_zbh";
3199   - listGroupBy=jdbcTemplate.query(sql, new RowMapper<Map<String, Object>>() {
  3156 + sql += " group by r.xl_bm,r.cl_zbh";
  3157 + listGroupBy=jdbcTemplate.query(sql, objList3.toArray(), new RowMapper<Map<String, Object>>() {
3200 3158 @Override
3201 3159 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
3202 3160 Map<String, Object> map=new HashMap<String,Object>();
... ... @@ -3206,17 +3164,23 @@ public class ReportServiceImpl implements ReportService{
3206 3164 }
3207 3165 });
3208 3166 }else{
  3167 + List<String> objList4 = new ArrayList<String>();
  3168 + objList4.add(date);
  3169 + objList4.add(date2);
3209 3170 sql+="select r.xl_bm,r.cl_zbh,r.j_gh,r.s_gh"
3210 3171 + " from bsth_c_s_sp_info_real r where"
3211   - + " r.schedule_date_str BETWEEN '"+date+"' and '"+date2+"'";
  3172 + + " r.schedule_date_str BETWEEN ? and ?";
3212 3173 if(line.equals("")){
3213   - sql +="and r.gs_bm='"+gsdm+"' "
3214   - + " and r.fgs_bm='"+fgsdm+"'";
  3174 + sql +=" and r.gs_bm = ? "
  3175 + + " and r.fgs_bm = ?";
  3176 + objList4.add(gsdm);
  3177 + objList4.add(fgsdm);
3215 3178 }else{
3216   - sql += " and r.xl_bm = '"+line+"'";
  3179 + sql += " and r.xl_bm = ?";
  3180 + objList4.add(line);
3217 3181 }
3218   - sql += " group by r.xl_bm,r.cl_zbh,r.j_gh,r.s_gh";
3219   - listGroupBy=jdbcTemplate.query(sql, new RowMapper<Map<String, Object>>() {
  3182 + sql += " group by r.xl_bm,r.cl_zbh,r.j_gh,r.s_gh";
  3183 + listGroupBy=jdbcTemplate.query(sql, objList4.toArray(), new RowMapper<Map<String, Object>>() {
3220 3184 @Override
3221 3185 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
3222 3186 Map<String, Object> map=new HashMap<String,Object>();
... ... @@ -3231,8 +3195,6 @@ public class ReportServiceImpl implements ReportService{
3231 3195 });
3232 3196 }
3233 3197  
3234   -
3235   -
3236 3198  
3237 3199 for (int i = 0; i < listGroupBy.size(); i++) {
3238 3200 Map<String, Object> m=listGroupBy.get(i);
... ... @@ -3392,8 +3354,8 @@ public class ReportServiceImpl implements ReportService{
3392 3354 return lMap;
3393 3355 }
3394 3356  
3395   - public final List<Ylb> ylbList(String sql){
3396   - List<Ylb> ylbList= jdbcTemplate.query(sql, new RowMapper<Ylb>() {
  3357 + public final List<Ylb> ylbList(String sql, List<String> objList){
  3358 + List<Ylb> ylbList= jdbcTemplate.query(sql, objList.toArray(), new RowMapper<Ylb>() {
3397 3359 @Override
3398 3360 public Ylb mapRow(ResultSet arg0, int arg1) throws SQLException {
3399 3361 Ylb y = new Ylb();
... ... @@ -3411,8 +3373,8 @@ public class ReportServiceImpl implements ReportService{
3411 3373 return ylbList;
3412 3374 }
3413 3375  
3414   - public final List<Dlb> dlbList(String sql){
3415   - List<Dlb> dlbList= jdbcTemplate.query(sql, new RowMapper<Dlb>() {
  3376 + public final List<Dlb> dlbList(String sql, List<String> objList){
  3377 + List<Dlb> dlbList= jdbcTemplate.query(sql, objList.toArray(), new RowMapper<Dlb>() {
3416 3378 @Override
3417 3379 public Dlb mapRow(ResultSet arg0, int arg1) throws SQLException {
3418 3380 Dlb y = new Dlb();
... ... @@ -3562,15 +3524,19 @@ public class ReportServiceImpl implements ReportService{
3562 3524 }
3563 3525 SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd HH:mm");
3564 3526 // Collections.sort(listInfo,new ComparableAcuals());
  3527 +
  3528 + List<String> objList = new ArrayList<String>();
3565 3529 //查询所有线路
3566 3530 String xlSql="select line_code,spac_grade from bsth_c_line ";
3567 3531 if(line.equals("")){
3568   - xlSql +=" where company ='"+gsbm+"'";
  3532 + xlSql +=" where company = ?";
  3533 + objList.add(gsbm);
3569 3534 }else{
3570   - xlSql +=" where line_code ='"+line+"'";
  3535 + xlSql +=" where line_code = ?";
  3536 + objList.add(line);
3571 3537 }
3572 3538  
3573   - List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, new RowMapper<Map<String, Object>>() {
  3539 + List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, objList.toArray(), new RowMapper<Map<String, Object>>() {
3574 3540 @Override
3575 3541 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
3576 3542 Map<String, Object> map=new HashMap<String,Object>();
... ... @@ -3815,10 +3781,14 @@ public class ReportServiceImpl implements ReportService{
3815 3781 String line =map.get("line").toString();
3816 3782 String date =map.get("date").toString();
3817 3783 String type =map.get("type").toString();
3818   - DecimalFormat df = new DecimalFormat("#0.00");
  3784 + DecimalFormat df = new DecimalFormat("#0.00");
  3785 +
  3786 + List<String> objList = new ArrayList<String>();
  3787 + objList.add(date);
  3788 + objList.add(line);
3819 3789 String sql="select cl_zbh from bsth_c_s_sp_info_real where "
3820   - + " schedule_date_str ='"+date+"' and xl_bm='"+line+"' group by cl_zbh";
3821   - List<String> list= jdbcTemplate.query(sql,
  3790 + + " schedule_date_str = ? and xl_bm = ? group by cl_zbh";
  3791 + List<String> list= jdbcTemplate.query(sql, objList.toArray(),
3822 3792 new RowMapper<String>(){
3823 3793 @Override
3824 3794 public String mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -3954,23 +3924,29 @@ public class ReportServiceImpl implements ReportService{
3954 3924 List<Singledata> list=new ArrayList<Singledata>();
3955 3925 List<Singledata> list_=new ArrayList<Singledata>();
3956 3926 if(tjtype.equals("jsy")){
  3927 + List<String> objList = new ArrayList<String>();
  3928 + objList.add(startDate);
  3929 + objList.add(endDate);
3957 3930 //油统计
3958 3931 String sql="select r.j_gh, r.xl_bm,r.cl_zbh,r.fgs_bm"
3959 3932 + " from bsth_c_s_sp_info_real r where "
3960   - + " r.schedule_date_str >= '"+startDate+"'"
3961   - + " and r.schedule_date_str<='"+endDate+"'";
  3933 + + " r.schedule_date_str >= ?"
  3934 + + " and r.schedule_date_str <= ?";
3962 3935 if(xlbm.length() != 0){
3963   - sql += " and r.xl_bm = '"+xlbm+"'";
  3936 + sql += " and r.xl_bm = ?";
  3937 + objList.add(xlbm);
3964 3938 }
3965 3939 if(gsdm.length() != 0){
3966   - sql += " and r.gs_bm ='"+gsdm+"'";
  3940 + sql += " and r.gs_bm = ?";
  3941 + objList.add(gsdm);
3967 3942 }
3968 3943 if(fgsdm.length() != 0){
3969   - sql += " and r.fgs_bm ='"+fgsdm+"'";
  3944 + sql += " and r.fgs_bm = ?";
  3945 + objList.add(fgsdm);
3970 3946 }
3971   - sql += " group by r.j_gh,r.xl_bm,r.cl_zbh,r.fgs_bm order by r.xl_bm,r.cl_zbh";
  3947 + sql += " group by r.j_gh,r.xl_bm,r.cl_zbh,r.fgs_bm order by r.xl_bm,r.cl_zbh";
3972 3948  
3973   - list = jdbcTemplate.query(sql, new RowMapper<Singledata>() {
  3949 + list = jdbcTemplate.query(sql, objList.toArray(), new RowMapper<Singledata>() {
3974 3950 @Override
3975 3951 public Singledata mapRow(ResultSet arg0, int arg1) throws SQLException {
3976 3952 Singledata sin = new Singledata();
... ... @@ -3982,39 +3958,44 @@ public class ReportServiceImpl implements ReportService{
3982 3958 }
3983 3959 });
3984 3960  
3985   -
  3961 + List<String> objList2 = new ArrayList<String>();
  3962 + List<String> tempList2 = new ArrayList<String>();
  3963 + tempList2.add(startDate);
  3964 + tempList2.add(endDate);
3986 3965 String linesql="";
3987 3966 if(!xlbm.equals("")){
3988   - linesql +=" and xlbm ='"+xlbm+"' ";
  3967 + linesql +=" and xlbm = ?";
  3968 + tempList2.add(xlbm);
3989 3969 }
3990 3970 if(!gsdm.equals("")){
3991   - linesql +=" and ssgsdm ='"+gsdm+"' ";
  3971 + linesql +=" and ssgsdm = ?";
  3972 + tempList2.add(gsdm);
3992 3973 }
3993 3974 if(!fgsdm.equals("")){
3994   - linesql +=" and fgsdm ='"+fgsdm+"' ";
  3975 + linesql +=" and fgsdm = ?";
  3976 + tempList2.add(fgsdm);
  3977 + }
  3978 +
  3979 + for(int i = 0; i < 2; i++){ // sql中使用两次重复参数
  3980 + for(String s : tempList2){
  3981 + objList2.add(s);
  3982 + }
3995 3983 }
3996   - /*String nysql="SELECT id,xlbm,nbbm,jsy,jzl as jzl,yh as yh,sh as sh,fgsdm FROM bsth_c_ylb"
3997   - + " WHERE rq >= '"+startDate+"' and rq <='"+endDate+"'"
3998   - + linesql
3999   - + " union"
4000   - + " SELECT id,xlbm,nbbm,jsy,cdl as jzl,hd as yh,sh as sh,fgsdm FROM bsth_c_dlb"
4001   - + " WHERE rq = '"+startDate+"' and rq <='"+endDate+"'"
4002   - + linesql;*/
4003 3984  
4004 3985 String nysql="SELECT 'yh' as type,xlbm,nbbm,jsy,sum(jzl*1000)/1000 as jzl,"
4005 3986 + " sum(yh*1000)/1000 as yh,"
4006 3987 + " sum(sh*1000)/1000 as sh FROM "
4007   - + "bsth_c_ylb where rq>='"+startDate+"' "
4008   - + " and rq <='"+endDate+"' " +linesql
  3988 + + "bsth_c_ylb where rq >= ? "
  3989 + + " and rq <= ? " +linesql
4009 3990 + " group by xlbm ,nbbm,jsy "
4010 3991 + " union SELECT 'dh' as type,xlbm,nbbm,jsy, "
4011 3992 + " sum(cdl*1000)/1000 as jzl,sum(hd*1000)/1000 as yh,"
4012 3993 + " sum(sh * 1000) / 1000 AS sh"
4013   - + " FROM bsth_c_dlb where rq>='"+startDate+"' "
4014   - + " and rq <='"+endDate+"'" +linesql
  3994 + + " FROM bsth_c_dlb where rq >= ? "
  3995 + + " and rq <= ? " +linesql
4015 3996 + " group by xlbm ,nbbm,jsy" ;
4016 3997  
4017   - List<Singledata> listNy = jdbcTemplate.query(nysql, new RowMapper<Singledata>() {
  3998 + List<Singledata> listNy = jdbcTemplate.query(nysql, objList2.toArray(), new RowMapper<Singledata>() {
4018 3999 @Override
4019 4000 public Singledata mapRow(ResultSet arg0, int arg1) throws SQLException {
4020 4001 Singledata sin = new Singledata();
... ... @@ -4141,25 +4122,31 @@ public class ReportServiceImpl implements ReportService{
4141 4122  
4142 4123 }
4143 4124 }else{
  4125 + List<String> objList3 = new ArrayList<String>();
  4126 + objList3.add(startDate);
  4127 + objList3.add(endDate);
4144 4128 String sql="select r.s_gh,r.s_name, "
4145 4129 + " r.xl_bm,r.cl_zbh,r.gs_bm,r.fgs_bm"
4146 4130 + " from bsth_c_s_sp_info_real r where "
4147   - + " r.schedule_date_str >= '"+startDate+"'"
4148   - + " schedule_date_str <='"+endDate+"'"
  4131 + + " r.schedule_date_str >= ?"
  4132 + + " schedule_date_str <= ?"
4149 4133 + " and r.s_gh !='' and r.s_gh is not null ";
4150 4134 if(!xlbm.equals("")){
4151   - sql += " and r.xl_bm = '"+xlbm+"'";
  4135 + sql += " and r.xl_bm = ?";
  4136 + objList3.add(xlbm);
4152 4137 }
4153 4138 if(!gsdm.equals("")){
4154   - sql += " and r.gs_bm = '"+gsdm+"'";
  4139 + sql += " and r.gs_bm = ?";
  4140 + objList3.add(gsdm);
4155 4141 }
4156 4142 if(!fgsdm.equals("")){
4157   - sql += " and r.fgs_bm = '"+fgsdm+"'";
  4143 + sql += " and r.fgs_bm = ?";
  4144 + objList3.add(fgsdm);
4158 4145 }
4159   - sql += " group by r.s_gh,r.s_name,"
  4146 + sql += " group by r.s_gh,r.s_name,"
4160 4147 + " r.xl_bm,r.cl_zbh,r.gs_bm,r.fgs_bm order by r.xl_bm,r.cl_zbh";
4161 4148  
4162   - list = jdbcTemplate.query(sql, new RowMapper<Singledata>() {
  4149 + list = jdbcTemplate.query(sql, objList3.toArray(), new RowMapper<Singledata>() {
4163 4150 //SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
4164 4151 @Override
4165 4152 public Singledata mapRow(ResultSet arg0, int arg1) throws SQLException {
... ... @@ -4237,29 +4224,9 @@ public class ReportServiceImpl implements ReportService{
4237 4224 }
4238 4225 }
4239 4226  
4240   - /*Map<String, Boolean> lineNature = lineService.lineNature();
4241   - List<Singledata> resList = new ArrayList<Singledata>();
4242   - for(Singledata s : list_){
4243   - String xlBm = s.getxL();
4244   - if(sfyy.length() != 0){
4245   - if(sfyy.equals("0")){
4246   - resList.add(s);
4247   - } else if(sfyy.equals("1")){
4248   - if(lineNature.containsKey(xlBm) && lineNature.get(xlBm)){
4249   - resList.add(s);
4250   - }
4251   - } else {
4252   - if(lineNature.containsKey(xlBm) && !lineNature.get(xlBm)){
4253   - resList.add(s);
4254   - }
4255   - }
4256   - } else {
4257   - resList.add(s);
4258   - }
4259   - }*/
4260 4227  
4261 4228  
4262   - if (type.equals("export")) {
  4229 + if (type.equals("export")) {
4263 4230 List<Iterator<?>> listI = new ArrayList<Iterator<?>>();
4264 4231 ReportUtils ee = new ReportUtils();
4265 4232  
... ... @@ -4340,22 +4307,27 @@ public class ReportServiceImpl implements ReportService{
4340 4307 listReal=scheduleRealInfoRepository.scheduleByDateAndLineQp(xlbm, date);
4341 4308 }
4342 4309  
  4310 + List<String> objList = new ArrayList<String>();
  4311 + objList.add(date);
4343 4312 String sql="select r.j_gh, r.xl_bm,r.cl_zbh,r.lp_name "
4344 4313 + " from bsth_c_s_sp_info_real r where "
4345   - + " r.schedule_date_str = '"+date+"'";
  4314 + + " r.schedule_date_str = ?";
4346 4315 if(xlbm.length() != 0){
4347   - sql += " and r.xl_bm = '"+xlbm+"'";
  4316 + sql += " and r.xl_bm = ?";
  4317 + objList.add(xlbm);
4348 4318 }
4349 4319 if(gsdm.length() != 0){
4350   - sql += " and r.gs_bm ='"+gsdm+"'";
  4320 + sql += " and r.gs_bm = ?";
  4321 + objList.add(gsdm);
4351 4322 }
4352 4323 if(fgsdm.length() != 0){
4353   - sql += " and r.fgs_bm ='"+fgsdm+"'";
  4324 + sql += " and r.fgs_bm = ?";
  4325 + objList.add(fgsdm);
4354 4326 }
4355   - sql += " group by r.j_gh,r.xl_bm,r.cl_zbh,r.lp_name order by r.xl_bm,r.cl_zbh,r.lp_name";
  4327 + sql += " group by r.j_gh,r.xl_bm,r.cl_zbh,r.lp_name order by r.xl_bm,r.cl_zbh,r.lp_name";
4356 4328  
4357 4329  
4358   - List<Map<String, Object>> list = jdbcTemplate.query(sql, new RowMapper<Map<String,Object>>() {
  4330 + List<Map<String, Object>> list = jdbcTemplate.query(sql, objList.toArray(), new RowMapper<Map<String,Object>>() {
4359 4331 @Override
4360 4332 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
4361 4333 Map<String, Object> m=new HashMap<String, Object>();
... ... @@ -4425,22 +4397,27 @@ public class ReportServiceImpl implements ReportService{
4425 4397 }
4426 4398 List<Map<String, Object>> listAll=new ArrayList<Map<String,Object>>();
4427 4399 if(energy.equals("1")){
  4400 + List<String> objList1 = new ArrayList<String>();
  4401 + objList1.add(date);
4428 4402 //油统计
4429 4403 String ylbSql="select ssgsdm,fgsdm,xlbm,nbbm,jsy,ifnull(lp,'') as lp,czlc,"
4430 4404 + " czyl,jzl,jzlc,jzyl,yh,sh,shyy,rylx,ns,zlc,linename,jname "
4431   - + " from bsth_c_ylb where rq='"+date+"'";
  4405 + + " from bsth_c_ylb where rq = ?";
4432 4406  
4433 4407 if(xlbm.length() != 0){
4434   - ylbSql += " and xlbm = '"+xlbm+"'";
  4408 + ylbSql += " and xlbm = ?";
  4409 + objList1.add(xlbm);
4435 4410 }
4436 4411 if(gsdm.length() != 0){
4437   - ylbSql += " and ssgsdm ='"+gsdm+"'";
  4412 + ylbSql += " and ssgsdm = ?";
  4413 + objList1.add(gsdm);
4438 4414 }
4439 4415 if(fgsdm.length() != 0){
4440   - ylbSql += " and fgsdm ='"+fgsdm+"'";
  4416 + ylbSql += " and fgsdm = ?";
  4417 + objList1.add(fgsdm);
4441 4418 }
4442 4419 ylbSql += " order by xlbm,nbbm,jcsx";
4443   - listAll = jdbcTemplate.query(ylbSql, new RowMapper<Map<String,Object>>() {
  4420 + listAll = jdbcTemplate.query(ylbSql, objList1.toArray(), new RowMapper<Map<String,Object>>() {
4444 4421 @Override
4445 4422 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
4446 4423 Map<String, Object> m=new HashMap<String, Object>();
... ... @@ -4476,21 +4453,26 @@ public class ReportServiceImpl implements ReportService{
4476 4453 });
4477 4454  
4478 4455 }else{
  4456 + List<String> objList2 = new ArrayList<String>();
  4457 + objList2.add(date);
4479 4458 //电统计
4480 4459 String dlbSql="select ssgsdm,fgsdm,xlbm,nbbm,jsy,ifnull(lp,'') as lp,czlc,"
4481 4460 + " czcd,cdl,jzlc,jzcd,hd,sh,shyy,ns,zlc,linename,jname "
4482   - + " from bsth_c_dlb where rq='"+date+"'";
  4461 + + " from bsth_c_dlb where rq = ?";
4483 4462 if(xlbm.length() != 0){
4484   - dlbSql += " and xlbm = '"+xlbm+"'";
  4463 + dlbSql += " and xlbm = ?";
  4464 + objList2.add(xlbm);
4485 4465 }
4486 4466 if(gsdm.length() != 0){
4487   - dlbSql += " and ssgsdm ='"+gsdm+"'";
  4467 + dlbSql += " and ssgsdm = ?";
  4468 + objList2.add(gsdm);
4488 4469 }
4489 4470 if(fgsdm.length() != 0){
4490   - dlbSql += " and fgsdm ='"+fgsdm+"'";
  4471 + dlbSql += " and fgsdm = ?";
  4472 + objList2.add(fgsdm);
4491 4473 }
4492 4474 dlbSql += " order by xlbm,nbbm,jcsx";
4493   - listAll = jdbcTemplate.query(dlbSql, new RowMapper<Map<String,Object>>() {
  4475 + listAll = jdbcTemplate.query(dlbSql, objList2.toArray(), new RowMapper<Map<String,Object>>() {
4494 4476 @Override
4495 4477 public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
4496 4478 Map<String, Object> m=new HashMap<String, Object>();
... ...