From 619626ae7ef85afc60c720fb309efb08b58b0cb7 Mon Sep 17 00:00:00 2001
From: 潘志宝 <979469083@qq.com>
Date: 星期一, 20 一月 2025 09:43:26 +0800
Subject: [PATCH] sqlInject2

---
 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
index e46e544..2ef1f30 100644
--- a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
+++ b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
@@ -2,6 +2,7 @@
 
 import com.iailab.framework.tenant.core.context.DataContextHolder;
 import com.iailab.module.data.common.utils.DateUtils;
+import com.iailab.module.data.common.xss.SQLFilter;
 import com.iailab.module.data.plan.data.entity.PlanDataSetEntity;
 import com.iailab.module.data.plan.data.service.PlanDataSetService;
 import com.iailab.module.data.plan.item.entity.PlanItemEntity;
@@ -44,6 +45,7 @@
             return null;
         }
         Map<String, Object> params = getSqlParams(dataSet, startTime, endTime);
+        SQLFilter.sqlInject2(dataSet.getQuerySql());
         DataContextHolder.setDataSourceId(Long.valueOf(dataSet.getDataSource()));
         List<PlanItemDataVO> dataList = planItemService.getSourceValue(params);
 
@@ -93,10 +95,12 @@
         StringBuilder whereSql = new StringBuilder();
         String startStr = DateUtils.format(startTime, DateUtils.DATE_NUMBER_PATTERN);
         String endStr = DateUtils.format(endTime, DateUtils.DATE_NUMBER_PATTERN);
-        whereSql.append(" plan_t.start_time <= ")
+        whereSql.append(" plan_t.start_time <= '")
                 .append(endStr)
-                .append(" and plan_t.end_time >= ")
-                .append(startStr);
+                .append("'")
+                .append(" and plan_t.end_time >= '")
+                .append(startStr)
+                .append("'");
         params.put("whereSql", whereSql.toString());
         return params;
     }

--
Gitblit v1.9.3