test github issues/3670

mybatis-plus/src/test/java/com/baomidou/mybatisplus/test/h2/H2UserTest.java

@@ -119,22 +119,6 @@ class H2UserTest extends BaseTest {
         }
     }
 
-//    @Test
-//    void testQueryWithParamInSelectStatement4Page() {
-//        Map<String, Object> param = new HashMap<>();
-//        String nameParam = "selectStmtParam";
-//        param.put("nameParam", nameParam);
-//        param.put("ageFrom", 1);
-//        param.put("ageTo", 100);
-//        Page<H2User> page = userService.queryWithParamInSelectStatememt4Page(param, new Page<H2User>(0, 10));
-//        Assert.assertNotNull(page.getRecords());
-//        for (H2User u : page.getRecords()) {
-//            Assert.assertEquals(nameParam, u.getName());
-//            Assert.assertNotNull(u.getId());
-//        }
-//        Assert.assertNotEquals(0, pagemySelectMaps.getTotal());
-//    }
-
     @Test
     @Order(10)
     void testSelectCountWithParamInSelectItems() {
@@ -409,7 +393,6 @@ class H2UserTest extends BaseTest {
         }
     }
 
-
     @Test
     @Order(31)
     void testSpaceCharacter() {
@@ -421,6 +404,15 @@ class H2UserTest extends BaseTest {
             .gt("age", 1).lt("age", 5))));
     }
 
+    @Test
+    @Order(32)
+    void testSqlInjectionByCustomSqlSegment() {
+        // Preparing: select * from h2user WHERE (name LIKE ?)
+        // Parameters: %y%%(String)
+        List<H2User> h2Users = userService.testCustomSqlSegment(new QueryWrapper<H2User>().like("name", "y%"));
+        Assertions.assertTrue(2 == h2Users.size());
+    }
+
     @Test
     void myQueryWithGroupByOrderBy() {
         userService.mySelectMaps().forEach(System.out::println);

mybatis-plus/src/test/java/com/baomidou/mybatisplus/test/h2/mapper/H2UserMapper.java

@@ -15,7 +15,9 @@
  */
 package com.baomidou.mybatisplus.test.h2.mapper;
 
+import com.baomidou.mybatisplus.core.conditions.Wrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
+import com.baomidou.mybatisplus.core.toolkit.Constants;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.baomidou.mybatisplus.test.h2.entity.H2Addr;
 import com.baomidou.mybatisplus.test.h2.entity.H2User;
@@ -66,22 +68,13 @@ public interface H2UserMapper extends SuperMapper<H2User> {
     )
     int myInsertWithoutParam(H2User user1);
 
-
     @Select(" select test_id as testId, power(#{ageFrom},2), 'abc?zhazha', CAST(#{nameParam} AS VARCHAR) as name " +
         " from h2user " +
         " where age>#{ageFrom} and age<#{ageTo} ")
     List<H2User> selectUserWithParamInSelectStatememt(Map<String, Object> param);
 
-//    @Select(" select test_id as id, power(#{ageFrom},2), 'abc?zhazha', CAST(#{nameParam} AS VARCHAR) as name " +
-//        " from h2user " +
-//        " where age>#{ageFrom} and age<#{ageTo} ")
-//    List<H2User> selectUserWithParamInSelectStatememt4Page(Map<String, Object> param, Page<H2User> page);
-//
-//    @Select(" select test_id as id, power(${ageFrom},2) as age, '${nameParam}' as name " +
-//        " from h2user " +
-//        " where age>#{ageFrom} and age<#{ageTo} ")
-//    List<H2User> selectUserWithDollarParamInSelectStatememt4Page(Map<String, Object> param, Page<H2User> page);
-
+    @Select("select * from h2user ${ew.customSqlSegment}")
+    List<H2User> selectTestCustomSqlSegment(@Param(Constants.WRAPPER) Wrapper wrapper);
 
     @Select("select count(1) from (" +
         "select test_id as id, CAST(#{nameParam} AS VARCHAR) as name" +
@@ -91,7 +84,7 @@ public interface H2UserMapper extends SuperMapper<H2User> {
     int selectCountWithParamInSelectItems(Map<String, Object> param);
 
     @Select("select age,name,count(age) from h2user group by age,name order by age")
-    List<Map<?,?>> mySelectMaps(IPage<H2User> page);
+    List<Map<?, ?>> mySelectMaps(IPage<H2User> page);
 
     @Select("call 1")
     @Options(statementType = StatementType.CALLABLE)

mybatis-plus/src/test/java/com/baomidou/mybatisplus/test/h2/service/IH2UserService.java

@@ -15,6 +15,7 @@
  */
 package com.baomidou.mybatisplus.test.h2.service;
 
+import com.baomidou.mybatisplus.core.conditions.Wrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.extension.service.IService;
 import com.baomidou.mybatisplus.test.h2.entity.H2User;
@@ -57,4 +58,6 @@ public interface IH2UserService extends IService<H2User> {
     void testSaveBatchNoTransactional1();
 
     void testSaveBatchNoTransactional2();
+
+    List<H2User> testCustomSqlSegment(Wrapper wrapper);
 }

mybatis-plus/src/test/java/com/baomidou/mybatisplus/test/h2/service/impl/H2UserServiceImpl.java

@@ -15,6 +15,7 @@
  */
 package com.baomidou.mybatisplus.test.h2.service.impl;
 
+import com.baomidou.mybatisplus.core.conditions.Wrapper;
 import com.baomidou.mybatisplus.core.exceptions.MybatisPlusException;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.core.metadata.OrderItem;
@@ -134,4 +135,9 @@ public class H2UserServiceImpl extends ServiceImpl<H2UserMapper, H2User> impleme
         save(new H2User(1577431655447L, "testSaveBatchNoTransactional2"));
         saveBatch(Arrays.asList(new H2User("testSaveBatchNoTransactional2", 0), new H2User("testSaveBatchNoTransactional2", 0), new H2User(1577431655447L, "testSaveBatchNoTransactional2")), 1);
     }
+
+    @Override
+    public List<H2User> testCustomSqlSegment(Wrapper wrapper) {
+        return baseMapper.selectTestCustomSqlSegment(wrapper);
+    }
 }