From de41acdd515089dab05e035022431db586c89541 Mon Sep 17 00:00:00 2001 From: smallchill Date: Fri, 26 Apr 2024 00:25:22 +0800 Subject: [PATCH] =?UTF-8?q?:zap:=20SqlKeyword=E7=B1=BB=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E7=89=B9=E6=AE=8A=E5=AD=97=E7=AC=A6=E6=B8=85=E9=99=A4=E9=80=BB?= =?UTF-8?q?=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/org/springblade/core/mp/support/SqlKeyword.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java index bb8ca31..e3e6f28 100644 --- a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java +++ b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java @@ -138,11 +138,13 @@ public class SqlKeyword { */ @SneakyThrows(SQLException.class) public static String filter(String param) { - if (param == null) { + // 清除特殊字符 + String cleaned = StringUtil.cleanIdentifier(param); + if (cleaned == null) { return null; } // 将校验到的sql关键词替换为空字符串 - String sql = param.replaceAll(SQL_REGEX, StringPool.EMPTY); + String sql = cleaned.replaceAll(SQL_REGEX, StringPool.EMPTY); // 二次校验,避免双写绕过等情况出现 if (match(sql)) { throw new SQLException(SQL_INJECTION_MESSAGE);