防sql注入
This commit is contained in:
parent
0834087b9b
commit
3212423620
|
@ -55,6 +55,8 @@ import java.util.ArrayList;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.regex.Matcher;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 动态生成页面,需要后台配置自定义页数据
|
* 动态生成页面,需要后台配置自定义页数据
|
||||||
|
@ -378,8 +380,16 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
|
||||||
} catch (IOException e1) {
|
} catch (IOException e1) {
|
||||||
e1.printStackTrace();
|
e1.printStackTrace();
|
||||||
}
|
}
|
||||||
|
Map<String, Object> searchMap = BasicUtil.assemblyRequestMap();
|
||||||
|
searchMap.forEach((k,v)->{
|
||||||
|
//sql注入过滤
|
||||||
|
if(sqlFilter(v.toString())){
|
||||||
|
searchMap.put(k,"");
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
//查询数量
|
//查询数量
|
||||||
int count= contentBiz.getSearchCount(contentModel,fieldValueList,BasicUtil.assemblyRequestMap(),BasicUtil.getAppId(),categoryIds);
|
int count= contentBiz.getSearchCount(contentModel,fieldValueList,searchMap,BasicUtil.getAppId(),categoryIds);
|
||||||
int total = PageUtil.totalPage(count, size);
|
int total = PageUtil.totalPage(count, size);
|
||||||
|
|
||||||
int pageNo = BasicUtil.getInt(ParserUtil.PAGE_NO, 1);
|
int pageNo = BasicUtil.getInt(ParserUtil.PAGE_NO, 1);
|
||||||
|
@ -412,7 +422,6 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
|
||||||
page.setPreUrl(preUrl);
|
page.setPreUrl(preUrl);
|
||||||
page.setLastUrl(lastUrl);
|
page.setLastUrl(lastUrl);
|
||||||
map.put(ParserUtil.URL, BasicUtil.getUrl());
|
map.put(ParserUtil.URL, BasicUtil.getUrl());
|
||||||
Map<String, Object> searchMap = BasicUtil.assemblyRequestMap();
|
|
||||||
searchMap.put(ParserUtil.PAGE_NO, pageNo);
|
searchMap.put(ParserUtil.PAGE_NO, pageNo);
|
||||||
map.put(SEARCH, searchMap);
|
map.put(SEARCH, searchMap);
|
||||||
map.put(ParserUtil.PAGE, page);
|
map.put(ParserUtil.PAGE, page);
|
||||||
|
@ -420,6 +429,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
|
||||||
map.put(ParserUtil.IS_DO,false);
|
map.put(ParserUtil.IS_DO,false);
|
||||||
//设置动态请求的模块路径
|
//设置动态请求的模块路径
|
||||||
map.put(ParserUtil.MODEL_NAME, "mcms");
|
map.put(ParserUtil.MODEL_NAME, "mcms");
|
||||||
|
|
||||||
//解析后的内容
|
//解析后的内容
|
||||||
String content = "";
|
String content = "";
|
||||||
try {
|
try {
|
||||||
|
@ -437,6 +447,11 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
|
||||||
this.outString(response, content);
|
this.outString(response, content);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static boolean sqlFilter(String str){
|
||||||
|
Pattern pattern= Pattern.compile("\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|;|\\+|'|%)");
|
||||||
|
Matcher matcher=pattern.matcher(str);
|
||||||
|
return matcher.find();
|
||||||
|
}
|
||||||
|
|
||||||
private Map get(String key, List<Map> fields) {
|
private Map get(String key, List<Map> fields) {
|
||||||
for (Map field : fields) {
|
for (Map field : fields) {
|
||||||
|
@ -472,4 +487,4 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -259,33 +259,33 @@
|
||||||
<where>
|
<where>
|
||||||
a.app_id = #{websiteId}
|
a.app_id = #{websiteId}
|
||||||
<if test="ids!=null and ids!=''">
|
<if test="ids!=null and ids!=''">
|
||||||
and FIND_IN_SET(content_category_id,'${ids}')
|
and FIND_IN_SET(content_category_id,#{ids})
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_title!=null">
|
<if test="map.content_title!=null">
|
||||||
and a.content_title like CONCAT("%",'${map.content_title}',"%")
|
and a.content_title like CONCAT("%",#{map.content_title},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_author!=null">
|
<if test="map.content_author!=null">
|
||||||
and a.content_author like CONCAT("%",'${map.content_author}',"%")
|
and a.content_author like CONCAT("%",#{map.content_author},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_source!=null">
|
<if test="map.content_source!=null">
|
||||||
and a.content_source like CONCAT("%",'${map.content_source}',"%")
|
and a.content_source like CONCAT("%",#{map.content_source},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_type!=null">
|
<if test="map.content_type!=null">
|
||||||
and a.content_type like CONCAT("%",'${map.content_type}',"%")
|
and a.content_type like CONCAT("%",#{map.content_type},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_description!=null">
|
<if test="map.content_description!=null">
|
||||||
and a.content_description like CONCAT("%",'${map.content_description}',"%")
|
and a.content_description like CONCAT("%",#{map.content_description},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_keyword!=null">
|
<if test="map.content_keyword!=null">
|
||||||
and a.content_keyword like CONCAT("%",'${map.content_keyword}',"%")
|
and a.content_keyword like CONCAT("%",#{map.content_keyword},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="map.content_details!=null">
|
<if test="map.content_details!=null">
|
||||||
and a.content_details like CONCAT("%",'${map.content_details}',"%")
|
and a.content_details like CONCAT("%",#{map.content_details},"%")
|
||||||
</if>
|
</if>
|
||||||
<if test="tableName!=null and tableName!='' and diyMap!=null">
|
<if test="tableName!=null and tableName!='' and diyMap!=null">
|
||||||
<foreach item="item" index="index" collection="diyList" open=""
|
<foreach item="item" index="index" collection="diyList" open=""
|
||||||
separator="" close="">
|
separator="" close="">
|
||||||
and d.${item.key} like CONCAT("%",'${item.value}',"%")
|
and d.${item.key} like CONCAT("%",#{item.value},"%")
|
||||||
</foreach>
|
</foreach>
|
||||||
</if>
|
</if>
|
||||||
</where>
|
</where>
|
||||||
|
@ -293,4 +293,4 @@
|
||||||
</select>
|
</select>
|
||||||
|
|
||||||
|
|
||||||
</mapper>
|
</mapper>
|
||||||
|
|
Loading…
Reference in New Issue