SqlKeyword类增加特殊字符清除逻辑

This commit is contained in:
smallchill 2024-04-26 00:25:22 +08:00
parent 5622c81a11
commit de41acdd51

View File

@ -138,11 +138,13 @@ public class SqlKeyword {
*/
@SneakyThrows(SQLException.class)
public static String filter(String param) {
if (param == null) {
// 清除特殊字符
String cleaned = StringUtil.cleanIdentifier(param);
if (cleaned == null) {
return null;
}
// 将校验到的sql关键词替换为空字符串
String sql = param.replaceAll(SQL_REGEX, StringPool.EMPTY);
String sql = cleaned.replaceAll(SQL_REGEX, StringPool.EMPTY);
// 二次校验避免双写绕过等情况出现
if (match(sql)) {
throw new SQLException(SQL_INJECTION_MESSAGE);