更安全的拼接sql

server/admin/generator/tpl_utils/utils.go

@@ -18,19 +18,22 @@ type genUtil struct{}
 
 // GetDbTablesQuery 查询库中的数据表
 func (gu genUtil) GetDbTablesQuery(db *gorm.DB, tableName string, tableComment string) *gorm.DB {
-	whereStr := ""
-	if tableName != "" {
-		whereStr += `and lower(table_name) like lower("%` + tableName + `%")`
-	}
-	if tableComment != "" {
-		whereStr += `and lower(table_comment) like lower("%` + tableComment + `%")`
-	}
-	query := db.Table("information_schema.tables").Where(
-		`table_schema = (SELECT database()) 
+	query := db.Table("information_schema.tables")
+
+	// whereStr := ""
+
+	query = query.Where(`table_schema = (SELECT database()) 
 			AND table_name NOT LIKE "qrtz_%" 
 			AND table_name NOT LIKE "gen_%" 
-			AND table_name NOT IN (select table_name from x_gen_table) ` + whereStr).Select(
-		"table_name, table_comment, create_time, update_time")
+			AND table_name NOT IN (select table_name from x_gen_table)`)
+	if tableName != "" {
+		query = query.Where(`lower(table_name) like lower(?)`, "%"+tableName+"%")
+	}
+	if tableComment != "" {
+		query = query.Where(`lower(table_comment) like lower(?)`, "%"+tableComment+"%")
+	}
+
+	query = query.Select("table_name, table_comment, create_time, update_time")
 	return query
 }