From 619626ae7ef85afc60c720fb309efb08b58b0cb7 Mon Sep 17 00:00:00 2001 From: 潘志宝 <979469083@qq.com> Date: 星期一, 20 一月 2025 09:43:26 +0800 Subject: [PATCH] sqlInject2 --- iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java index e46e544..2ef1f30 100644 --- a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java +++ b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java @@ -2,6 +2,7 @@ import com.iailab.framework.tenant.core.context.DataContextHolder; import com.iailab.module.data.common.utils.DateUtils; +import com.iailab.module.data.common.xss.SQLFilter; import com.iailab.module.data.plan.data.entity.PlanDataSetEntity; import com.iailab.module.data.plan.data.service.PlanDataSetService; import com.iailab.module.data.plan.item.entity.PlanItemEntity; @@ -44,6 +45,7 @@ return null; } Map<String, Object> params = getSqlParams(dataSet, startTime, endTime); + SQLFilter.sqlInject2(dataSet.getQuerySql()); DataContextHolder.setDataSourceId(Long.valueOf(dataSet.getDataSource())); List<PlanItemDataVO> dataList = planItemService.getSourceValue(params); @@ -93,10 +95,12 @@ StringBuilder whereSql = new StringBuilder(); String startStr = DateUtils.format(startTime, DateUtils.DATE_NUMBER_PATTERN); String endStr = DateUtils.format(endTime, DateUtils.DATE_NUMBER_PATTERN); - whereSql.append(" plan_t.start_time <= ") + whereSql.append(" plan_t.start_time <= '") .append(endStr) - .append(" and plan_t.end_time >= ") - .append(startStr); + .append("'") + .append(" and plan_t.end_time >= '") + .append(startStr) + .append("'"); params.put("whereSql", whereSql.toString()); return params; } -- Gitblit v1.9.3