更新模糊查询，自定义通配符

2021-03-11 10:59:12 +08:00
parent 841d8c511a
commit 83c354e4be
2 changed files with 23 additions and 2 deletions
--- a/hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/common/utils/XssClass.java
+++ b/hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/common/utils/XssClass.java
@@ -15,4 +15,16 @@ public class XssClass {
        }
        return false;
    }
+
+    public static boolean sqlInjLike(String str){
+        String injStr = "'|and|exec|insert|select|delete|update|"+
+                "count|*|chr|mid|master|truncate|char|declare|;|or|+|,|<script>";
+        String[] injStra = split(injStr,"|");
+        for (String s : injStra) {
+            if (str.contains(s)) {
+                return true;
+            }
+        }
+        return false;
+    }
 }
--- a/hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/data/module/Condition.java
+++ b/hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/data/module/Condition.java
@@ -266,8 +266,8 @@ public class Condition implements Serializable {
        }

        public ConditionBuilder like(String key, Object value) {
-            sqlCheck(value);
-            this.conditionSql += " " + key + " " + LIKE + " '%" + value + "%'";
+            sqlCheckLike(value);
+            this.conditionSql += " " + key + " " + LIKE + " '" + value + "'";
            return this;
        }

@@ -412,6 +412,15 @@ public class Condition implements Serializable {
            }
        }

+        public void sqlCheckLike(Object obj) {
+            if (this.flag) {
+                if (XssClass.sqlInjLike(obj.toString())) {
+                    logger.error("非法字符："+obj.toString());
+                    throw new ServiceException("value中含有非法字符，有注入风险！");
+                }
+            }
+        }
+
        public Condition build() {
            if (this.rrn != this.lrn) {
                logger.error("sql语法错误，请检查小括号是否都闭合");