blade/blade-tool
1
0
Fork 0
mirror of https://github.com/chillzhuang/blade-tool synced 2024-11-15 06:59:29 +08:00
Code Issues Projects Releases Wiki Activity

SqlKeyword类增加特殊字符清除逻辑

Browse Source
This commit is contained in:
smallchill 2024-04-26 00:25:22 +08:00
parent 5622c81a11
commit de41acdd51
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
View File

@ -138,11 +138,13 @@ public class SqlKeyword {
*/ */
@SneakyThrows(SQLException.class) @SneakyThrows(SQLException.class)
public static String filter(String param) { public static String filter(String param) {
if (param == null) { // 清除特殊字符
String cleaned = StringUtil.cleanIdentifier(param);
if (cleaned == null) {
return null; return null;
} }
// 将校验到的sql关键词替换为空字符串 // 将校验到的sql关键词替换为空字符串
String sql = param.replaceAll(SQL_REGEX, StringPool.EMPTY); String sql = cleaned.replaceAll(SQL_REGEX, StringPool.EMPTY);
// 二次校验避免双写绕过等情况出现 // 二次校验避免双写绕过等情况出现
if (match(sql)) { if (match(sql)) {
throw new SQLException(SQL_INJECTION_MESSAGE); throw new SQLException(SQL_INJECTION_MESSAGE);