排序优化，防sql注入

2e2cc04f · 季圣华 · 358ca73c · 2e2cc04f · 2e2cc04f
Commit 2e2cc04f authored Oct 18, 2021 by 季圣华
--- a/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
@@ -559,7 +559,7 @@ public class MaterialController {
                idList = materialService.getListByParentId(categoryId);
            }
            List<MaterialVo4Unit> dataList = materialService.getListWithStock(depotId, idList, StringUtil.toNull(materialParam),
-                    column, order, (currentPage-1)*pageSize, pageSize);
+                    StringUtil.safeSqlParse(column), StringUtil.safeSqlParse(order), (currentPage-1)*pageSize, pageSize);
            int total = materialService.getListWithStockCount(depotId, idList, StringUtil.toNull(materialParam));
            MaterialVo4Unit materialVo4Unit= materialService.getTotalStockAndPrice(depotId, idList, StringUtil.toNull(materialParam));
            map.put("total", total);

--- a/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
@@ -19,6 +19,13 @@ public class StringUtil {

    private static String DEFAULT_FORMAT = "yyyy-MM-dd HH:mm:ss";

+    public final static String regex = "'|#|%|;|--| and | and|and | or | or|or | not | not|not " +
+            "| use | use|use | insert | insert|insert | delete | delete|delete | update | update|update " +
+            "| select | select|select | count | count|count | group | group|group | union | union|union " +
+            "| create | create|create | drop | drop|drop | truncate | truncate|truncate | alter | alter|alter " +
+            "| grant | grant|grant | execute | execute|execute | exec | exec|exec | xp_cmdshell | xp_cmdshell|xp_cmdshell " +
+            "| call | call|call | declare | declare|declare | source | source|source | sql | sql|sql ";
+
    public static String filterNull(String str) {
        if (str == null) {
            return "";
@@ -266,6 +273,15 @@ public class StringUtil {
        }
    }

+    /**
+     * sql注入过滤，保障sql的安全执行
+     * @param originStr
+     * @return
+     */
+    public static String safeSqlParse(String originStr){
+        return originStr.replaceAll("(?i)" + regex, "");
+    }
+
    public static void main(String[] args) {
        int i = 10/3;
        System.out.println(i);