优化

mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/metadata/TableFieldInfo.java

@@ -252,7 +252,7 @@ public class TableFieldInfo {
      * @return sql 脚本片段
      */
     public String getInsertSqlProperty() {
-        String sqlScript = SqlScriptUtils.HASH_LEFT_BRACE + el + StringPool.RIGHT_BRACE + StringPool.COMMA;
+        String sqlScript = SqlScriptUtils.safeParam(el) + StringPool.COMMA;
         if (fieldFill == FieldFill.INSERT || fieldFill == FieldFill.INSERT_UPDATE) {
             return sqlScript;
         }
@@ -287,7 +287,7 @@ public class TableFieldInfo {
         if (StringUtils.isNotEmpty(update)) {
             sqlSet += String.format(update, column);
         } else {
-            sqlSet += ("#{" + newPrefix + el + "}");
+            sqlSet += SqlScriptUtils.safeParam(newPrefix + el);
         }
         sqlSet += StringPool.COMMA;
         if (fieldFill == FieldFill.UPDATE || fieldFill == FieldFill.INSERT_UPDATE) {
@@ -318,7 +318,7 @@ public class TableFieldInfo {
      * @param property  字段名
      * @return if 脚本片段
      */
-    private String convertIf(String sqlScript, String property) {
+    private String convertIf(final String sqlScript, final String property) {
         if (fieldStrategy == FieldStrategy.IGNORED) {
             return sqlScript;
         }

mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/metadata/TableInfo.java

@@ -208,8 +208,7 @@ public class TableInfo {
             if (idType == IdType.AUTO) {
                 return "";
             }
-            return SqlScriptUtils.HASH_LEFT_BRACE + keyProperty + StringPool.RIGHT_BRACE +
-                StringPool.COMMA + StringPool.NEWLINE;
+            return SqlScriptUtils.safeParam(keyProperty) + StringPool.COMMA + StringPool.NEWLINE;
         }
         return "";
     }
@@ -278,8 +277,7 @@ public class TableInfo {
             return filedSqlScript;
         }
         String newKeyProperty = newPrefix + keyProperty;
-        String keySqlScript = keyColumn + StringPool.EQUALS +
-            SqlScriptUtils.HASH_LEFT_BRACE + newKeyProperty + StringPool.RIGHT_BRACE;
+        String keySqlScript = keyColumn + StringPool.EQUALS + SqlScriptUtils.safeParam(newKeyProperty);
         return SqlScriptUtils.convertIf(keySqlScript, String.format("%s != null", newKeyProperty), false) +
             StringPool.NEWLINE + filedSqlScript;
     }

mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlScriptUtils.java

@@ -31,7 +31,7 @@ public final class SqlScriptUtils {
     /**
      * 脚本符号: #{
      */
-    public static final String HASH_LEFT_BRACE = StringPool.HASH + StringPool.LEFT_BRACE;
+    private static final String HASH_LEFT_BRACE = StringPool.HASH + StringPool.LEFT_BRACE;
 
     private SqlScriptUtils() {
         // ignore
@@ -65,8 +65,8 @@ public final class SqlScriptUtils {
      * @param suffixOverrides 干掉最后一个...
      * @return trim 脚本
      */
-    public static String convertTrim(String sqlScript, String prefix, String suffix, String prefixOverrides,
-                                     String suffixOverrides) {
+    public static String convertTrim(final String sqlScript, final String prefix, final String suffix,
+                                     final String prefixOverrides, final String suffixOverrides) {
         StringBuilder sb = new StringBuilder("<trim");
         if (StringUtils.isNotEmpty(prefix)) {
             sb.append(StringPool.SPACE).append("prefix=\"").append(prefix).append(StringPool.QUOTE);
@@ -91,7 +91,7 @@ public final class SqlScriptUtils {
      * @param otherwise otherwise 内容
      * @return choose 脚本
      */
-    public static String convertChoose(String whenTest, String whenSqlScript, String otherwise) {
+    public static String convertChoose(final String whenTest, final String whenSqlScript, final String otherwise) {
         return "<choose>" + StringPool.NEWLINE +
             "<when test=\"" + whenTest + StringPool.QUOTE + StringPool.RIGHT_CHEV + StringPool.NEWLINE +
             whenSqlScript + StringPool.NEWLINE + "</when>" + StringPool.NEWLINE +
@@ -109,8 +109,8 @@ public final class SqlScriptUtils {
      * @param separator  separator
      * @return foreach 脚本
      */
-    public static String convertForeach(String sqlScript, String collection, String index, String item,
-                                        String separator) {
+    public static String convertForeach(final String sqlScript, final String collection, final String index,
+                                        final String item, final String separator) {
         StringBuilder sb = new StringBuilder("<foreach");
         if (StringUtils.isNotEmpty(collection)) {
             sb.append(StringPool.SPACE).append("collection=\"").append(collection).append(StringPool.QUOTE);
@@ -134,7 +134,27 @@ public final class SqlScriptUtils {
      * @param sqlScript where 内部的 sql 脚本
      * @return where 脚本
      */
-    public static String convertWhere(String sqlScript) {
+    public static String convertWhere(final String sqlScript) {
         return "<where>" + StringPool.NEWLINE + sqlScript + StringPool.NEWLINE + "</where>";
     }
+
+    /**
+     * 安全入参:  #{入参}
+     *
+     * @param param 入参
+     * @return 脚本
+     */
+    public static String safeParam(final String param) {
+        return HASH_LEFT_BRACE + param + StringPool.RIGHT_BRACE;
+    }
+
+    /**
+     * 非安全入参:  ${入参}
+     *
+     * @param param 入参
+     * @return 脚本
+     */
+    public static String unSafeParam(final String param) {
+        return StringPool.DOLLAR_LEFT_BRACE + param + StringPool.RIGHT_BRACE;
+    }
 }