潘钊 / bsth_control · Commits

Commit e2819b0595bec364804a77d0d20fbac67319c287

Authored by 娄高锋
1 parent def55653
build: skipped

改掉sql拼接(sql注入漏洞)。

Inline Side-by-side
Showing 1 changed file with 130 additions and 55 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @e2819b0
@@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>(); 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47
48 try { 48 try {
49 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'"; 49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52
51 - if(line.length() != 0)  
52 - sql += " and xl_bm = '"+line+"'";  
53 - if(company.length() != 0)  
54 - sql += " and gs_bm = '"+company+"'";  
55 - if(subCompany.length() != 0)  
56 - sql += " and fgs_bm = '"+subCompany+"'"; 53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65
58 sql += " order by gs_bm, fgs_bm, xl_bm"; 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67
60 list = jdbcTemplate.query(sql, 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 new RowMapper<ScheduleRealInfo>(){ 70 new RowMapper<ScheduleRealInfo>(){
62 @Override 71 @Override
63 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 } 202 }
194 203
195 try { 204 try {
196 -  
197 - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'"; 205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 if(line.length() != 0){ 209 if(line.length() != 0){
199 - sql += " and xl_bm = '"+line+"'"; 210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 } 220 }
201 - if(company.length() != 0)  
202 - sql += " and gs_bm = '"+company+"'";  
203 - if(subCompany.length() != 0)  
204 - sql += " and fgs_bm = '"+subCompany+"'";  
205 221
206 list = jdbcTemplate.query(sql, 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 new RowMapper<SchedulePlanInfo>(){ 224 new RowMapper<SchedulePlanInfo>(){
208 @Override 225 @Override
209 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
609 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 626 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
610 } 627 }
611 try { 628 try {
612 - 629 + List<String> objList = new ArrayList<String>();
613 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs," 630 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
614 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service" 631 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
615 - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate  
616 - +"' and schedule_date_str <= '"+endDate+"'"; 632 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  633 + +" and schedule_date_str <= ?";
  634 + objList.add(startDate);
  635 + objList.add(endDate);
  636 +
617 if(line.length() != 0){ 637 if(line.length() != 0){
618 - sql += " and xl_bm = '"+line+"'"; 638 + sql += " and xl_bm = ?";
  639 + objList.add(line);
619 } 640 }
620 if(company.length() != 0){ 641 if(company.length() != 0){
621 - sql += " and gs_bm = '"+company+"'"; 642 + sql += " and gs_bm = ?";
  643 + objList.add(company);
622 } 644 }
623 if(subCompany.length() != 0){ 645 if(subCompany.length() != 0){
624 - sql += " and fgs_bm = '"+subCompany+"'"; 646 + sql += " and fgs_bm = ?";
  647 + objList.add(subCompany);
625 } 648 }
626 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 649 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
627 if(Integer.valueOf(bcType) == 1){ 650 if(Integer.valueOf(bcType) == 1){
@@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
630 sql += " and bc_type = 'region'"; 653 sql += " and bc_type = 'region'";
631 } 654 }
632 list = jdbcTemplate.query(sql, 655 list = jdbcTemplate.query(sql,
  656 + objList.toArray(),
633 new RowMapper<ScheduleRealInfo>(){ 657 new RowMapper<ScheduleRealInfo>(){
634 @Override 658 @Override
635 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 659 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
923 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 947 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
924 } 948 }
925 try { 949 try {
926 -  
927 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'"; 950 + List<String> objList = new ArrayList<String>();
  951 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  952 + objList.add(startDate);
  953 + objList.add(endDate);
  954 +
928 if(line.length() != 0){ 955 if(line.length() != 0){
929 - sql += " and xl_bm = '"+line+"'"; 956 + sql += " and xl_bm = ?";
  957 + objList.add(line);
930 } 958 }
931 if(nbbm.length() != 0){ 959 if(nbbm.length() != 0){
932 - sql += " and cl_zbh like '%"+nbbm+"%'"; 960 + sql += " and cl_zbh like ?";
  961 + objList.add("%" + nbbm + "%");
933 } 962 }
934 if(company.length() != 0){ 963 if(company.length() != 0){
935 - sql += " and gs_bm like '"+company+"'"; 964 + sql += " and gs_bm = ?";
  965 + objList.add(company);
936 } 966 }
937 if(subCompany.length() != 0){ 967 if(subCompany.length() != 0){
938 - sql += " and fgs_bm like '"+subCompany+"'"; 968 + sql += " and fgs_bm = ?";
  969 + objList.add(subCompany);
939 } 970 }
940 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 971 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
941 if(bcType.trim().equals("1")){ 972 if(bcType.trim().equals("1")){
@@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
945 } 976 }
946 977
947 list = jdbcTemplate.query(sql, 978 list = jdbcTemplate.query(sql,
  979 + objList.toArray(),
948 new RowMapper<ScheduleRealInfo>(){ 980 new RowMapper<ScheduleRealInfo>(){
949 @Override 981 @Override
950 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 982 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1214 isCancel = map.get("isCancel").toString().trim(); 1246 isCancel = map.get("isCancel").toString().trim();
1215 } 1247 }
1216 try { 1248 try {
  1249 + List<String> objList = new ArrayList<String>();
1217 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" + 1250 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1218 " (select tt_info from bsth_c_s_sp_info where 1=1"; 1251 " (select tt_info from bsth_c_s_sp_info where 1=1";
1219 - if(startDate.trim().length() > 0)  
1220 - sql += " and schedule_date >= '"+startDate+"'";  
1221 - if(endDate.trim().length() > 0)  
1222 - sql += " and schedule_date <= '"+endDate+"'"; 1252 +
  1253 + if(startDate.trim().length() > 0){
  1254 + sql += " and schedule_date >= ?";
  1255 + objList.add(startDate);
  1256 + }
  1257 + if(endDate.trim().length() > 0){
  1258 + sql += " and schedule_date <= ?";
  1259 + objList.add(endDate);
  1260 + }
1223 if(line.trim().length() != 0){ 1261 if(line.trim().length() != 0){
1224 - sql += " and xl_bm = '"+line+"'"; 1262 + sql += " and xl_bm = ?";
  1263 + objList.add(line);
1225 } else { 1264 } else {
1226 return resList; 1265 return resList;
1227 } 1266 }
1228 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name"; 1267 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1229 1268
1230 resList = jdbcTemplate.query(sql, 1269 resList = jdbcTemplate.query(sql,
  1270 + objList.toArray(),
1231 new RowMapper<Map<String, Object>>(){ 1271 new RowMapper<Map<String, Object>>(){
1232 @Override 1272 @Override
1233 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 1273 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1269,19 +1309,29 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1269,19 +1309,29 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1269 date = sdf.format(new Date()); 1309 date = sdf.format(new Date());
1270 1310
1271 try { 1311 try {
  1312 + List<String> objList = new ArrayList<String>();
1272 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name," 1313 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1273 + " a.xl_bm, a.fgs_bm, a.cc_service, (select start_opt from bsth_c_line_config where id =" 1314 + " a.xl_bm, a.fgs_bm, a.cc_service, (select start_opt from bsth_c_line_config where id ="
1274 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt" 1315 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt"
1275 - + " from bsth_c_s_sp_info_real a where schedule_date_str = '"+date+"'" 1316 + + " from bsth_c_s_sp_info_real a where schedule_date_str = ?"
1276 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'"; 1317 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1277 - if(line.trim().length() != 0)  
1278 - sql += " and xl_bm = '"+line+"'";  
1279 - if(company.length() != 0)  
1280 - sql += " and gs_bm = '"+company+"'";  
1281 - if(subCompany.length() != 0)  
1282 - sql += " and fgs_bm = '"+subCompany+"'"; 1318 + objList.add(date);
  1319 +
  1320 + if(line.trim().length() != 0){
  1321 + sql += " and xl_bm = ?";
  1322 + objList.add(line);
  1323 + }
  1324 + if(company.length() != 0){
  1325 + sql += " and gs_bm = ?";
  1326 + objList.add(company);
  1327 + }
  1328 + if(subCompany.length() != 0){
  1329 + sql += " and fgs_bm = ?";
  1330 + objList.add(subCompany);
  1331 + }
1283 1332
1284 list = jdbcTemplate.query(sql, 1333 list = jdbcTemplate.query(sql,
  1334 + objList.toArray(),
1285 new RowMapper<ScheduleRealInfo>(){ 1335 new RowMapper<ScheduleRealInfo>(){
1286 @Override 1336 @Override
1287 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 1337 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1541,19 +1591,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1541,19 +1591,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1541 } 1591 }
1542 1592
1543 try { 1593 try {
  1594 + List<String> objList = new ArrayList<String>();
1544 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name," 1595 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1545 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, (select start_opt from bsth_c_line_config where id = " 1596 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, (select start_opt from bsth_c_line_config where id = "
1546 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt" 1597 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt"
1547 - + " from bsth_c_s_sp_info_real a where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'" 1598 + + " from bsth_c_s_sp_info_real a where schedule_date_str >= ? and schedule_date_str <= ?"
1548 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'"; 1599 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1549 - if(line.length() != 0)  
1550 - sql += " and xl_bm = '"+line+"'";  
1551 - if(company.length() != 0)  
1552 - sql += " and gs_bm = '"+company+"'";  
1553 - if(subCompany.length() != 0)  
1554 - sql += " and fgs_bm = '"+subCompany+"'"; 1600 + objList.add(startDate);
  1601 + objList.add(endDate);
  1602 +
  1603 + if(line.length() != 0){
  1604 + sql += " and xl_bm = ?";
  1605 + objList.add(line);
  1606 + }
  1607 + if(company.length() != 0){
  1608 + sql += " and gs_bm = ?";
  1609 + objList.add(company);
  1610 + }
  1611 + if(subCompany.length() != 0){
  1612 + sql += " and fgs_bm = ?";
  1613 + objList.add(subCompany);
  1614 + }
1555 1615
1556 list = jdbcTemplate.query(sql, 1616 list = jdbcTemplate.query(sql,
  1617 + objList.toArray(),
1557 new RowMapper<ScheduleRealInfo>(){ 1618 new RowMapper<ScheduleRealInfo>(){
1558 @Override 1619 @Override
1559 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 1620 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2159,24 +2220,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2159,24 +2220,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2159 // String code = map.get("code").toString(); 2220 // String code = map.get("code").toString();
2160 String type = map.get("type").toString(); 2221 String type = map.get("type").toString();
2161 2222
  2223 + List<String> objList = new ArrayList<String>();
2162 String sql_="select * from bsth_c_s_sp_info_real " 2224 String sql_="select * from bsth_c_s_sp_info_real "
2163 - + " WHERE schedule_date_str = '"+date+"' "; 2225 + + " WHERE schedule_date_str = ? ";
  2226 + objList.add(date);
  2227 +
2164 if(!line.equals("")){ 2228 if(!line.equals("")){
2165 - sql_ += " and xl_bm = '"+line+"'"; 2229 + sql_ += " and xl_bm = ?";
  2230 + objList.add(line);
2166 } 2231 }
2167 if(company.length() != 0){ 2232 if(company.length() != 0){
2168 - sql_ += " and gs_bm='"+company+"'"; 2233 + sql_ += " and gs_bm = ?";
  2234 + objList.add(company);
2169 } 2235 }
2170 if(subCompany.length() != 0){ 2236 if(subCompany.length() != 0){
2171 - sql_ += " and fgs_bm='"+subCompany+"'"; 2237 + sql_ += " and fgs_bm = ?";
  2238 + objList.add(subCompany);
2172 } 2239 }
2173 2240
2174 -  
2175 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2241 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2176 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r" 2242 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2177 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id "; 2243 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2178 2244
2179 List<Map<String, Object>> tempList = jdbcTemplate.query(sql, 2245 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2246 + objList.toArray(),
2180 new RowMapper<Map<String, Object>>(){ 2247 new RowMapper<Map<String, Object>>(){
2181 @Override 2248 @Override
2182 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2249 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2381,14 +2448,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2381,14 +2448,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2381 // String code = map.get("code").toString(); 2448 // String code = map.get("code").toString();
2382 String type = map.get("type").toString(); 2449 String type = map.get("type").toString();
2383 2450
  2451 + List<String> objList = new ArrayList<String>();
2384 String sql_="select * from bsth_c_s_sp_info_real " 2452 String sql_="select * from bsth_c_s_sp_info_real "
2385 - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'"; 2453 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2454 + objList.add(date);
  2455 + objList.add(line);
2386 2456
2387 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2457 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2388 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r" 2458 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2389 + " order by r.xl_name,r.id "; 2459 + " order by r.xl_name,r.id ";
2390 2460
2391 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2461 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2462 + objList.toArray(),
2392 new RowMapper<Map<String, Object>>(){ 2463 new RowMapper<Map<String, Object>>(){
2393 @Override 2464 @Override
2394 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2465 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2586,14 +2657,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2586,14 +2657,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2586 if(map.get("type")!=null) 2657 if(map.get("type")!=null)
2587 type = map.get("type").toString().trim(); 2658 type = map.get("type").toString().trim();
2588 2659
2589 - String sql_="select * from bsth_c_s_sp_info_real "  
2590 - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'"; 2660 + List<String> objList = new ArrayList<String>();
  2661 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2662 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2663 + objList.add(date);
  2664 + objList.add(jgh);
2591 2665
2592 if(!line.equals("")){ 2666 if(!line.equals("")){
2593 - sql_ +=" and xl_bm = '"+line+"'"; 2667 + sql_ +=" and xl_bm = ?";
  2668 + objList.add(line);
2594 } 2669 }
2595 2670
2596 -  
2597 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name," 2671 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2598 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time," 2672 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2599 + " r.gs_name,r.fgs_name FROM ("+sql_+") " 2673 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
@@ -2602,6 +2676,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2602,6 +2676,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2602 2676
2603 2677
2604 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2678 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2679 + objList.toArray(),
2605 new RowMapper<Map<String, Object>>(){ 2680 new RowMapper<Map<String, Object>>(){
2606 @Override 2681 @Override
2607 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2682 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {