From 619626ae7ef85afc60c720fb309efb08b58b0cb7 Mon Sep 17 00:00:00 2001
From: 潘志宝 <979469083@qq.com>
Date: 星期一, 20 一月 2025 09:43:26 +0800
Subject: [PATCH] sqlInject2
---
iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java | 52 +++++++++++++++++++++++++++++++++++++---------------
1 files changed, 37 insertions(+), 15 deletions(-)
diff --git a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
index e8f862b..2ef1f30 100644
--- a/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
+++ b/iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java
@@ -2,6 +2,7 @@
import com.iailab.framework.tenant.core.context.DataContextHolder;
import com.iailab.module.data.common.utils.DateUtils;
+import com.iailab.module.data.common.xss.SQLFilter;
import com.iailab.module.data.plan.data.entity.PlanDataSetEntity;
import com.iailab.module.data.plan.data.service.PlanDataSetService;
import com.iailab.module.data.plan.item.entity.PlanItemEntity;
@@ -34,8 +35,6 @@
public List<PlanItemValueVO> queryValue(String itemNo, Date startTime, Date endTime) {
List<PlanItemValueVO> result = new ArrayList<>();
PlanItemEntity itemEntity = planItemService.getInfoByNo(itemNo);
- Map<String, Object> params = new HashMap<String, Object>();
-
PlanDataSetEntity dataSet = planDataSetService.get(itemEntity.getDataSet());
if (dataSet == null) {
log.warn("数据集不能为空");
@@ -45,24 +44,15 @@
log.warn("数据源不能为空");
return null;
}
+ Map<String, Object> params = getSqlParams(dataSet, startTime, endTime);
+ SQLFilter.sqlInject2(dataSet.getQuerySql());
DataContextHolder.setDataSourceId(Long.valueOf(dataSet.getDataSource()));
-
- params.put("selectSql", " plan_t.start_time, plan_t.end_time");
- params.put("viewSql", dataSet.getQuerySql());
- StringBuilder whereSql = new StringBuilder();
- String startStr = DateUtils.format(startTime, DateUtils.DATE_NUMBER_PATTERN);
- String endStr = DateUtils.format(endTime, DateUtils.DATE_NUMBER_PATTERN);
- whereSql.append(" plan_t.start_time <= " )
- .append(endStr)
- .append(" and plan_t.end_time >= ")
- .append(startStr);
- params.put("whereSql", whereSql.toString());
List<PlanItemDataVO> dataList = planItemService.getSourceValue(params);
Calendar calendar = Calendar.getInstance();
calendar.setTime(startTime);
- int dataLength = (int)((endTime.getTime() - startTime.getTime()) / (1000 * 60)) + 1;
- for (int i = 0; i < dataLength; i ++) {
+ int dataLength = (int) ((endTime.getTime() - startTime.getTime()) / (1000 * 60)) + 1;
+ for (int i = 0; i < dataLength; i++) {
PlanItemValueVO itemValue = new PlanItemValueVO();
Date dataTime = calendar.getTime();
itemValue.setDataTime(dataTime);
@@ -82,4 +72,36 @@
}
return result;
}
+
+ public List<PlanItemDataVO> getSourceValue(String itemNo, Date startTime, Date endTime) {
+ PlanItemEntity itemEntity = planItemService.getInfoByNo(itemNo);
+ PlanDataSetEntity dataSet = planDataSetService.get(itemEntity.getDataSet());
+ if (dataSet == null) {
+ log.warn("数据集不能为空");
+ return null;
+ }
+ if (StringUtils.isEmpty(dataSet.getDataSource())) {
+ log.warn("数据源不能为空");
+ return null;
+ }
+ Map<String, Object> params = getSqlParams(dataSet, startTime, endTime);
+ return planItemService.getSourceValue(params);
+ }
+
+ private Map<String, Object> getSqlParams(PlanDataSetEntity dataSet, Date startTime, Date endTime) {
+ Map<String, Object> params = new HashMap<String, Object>();
+ params.put("selectSql", " plan_t.start_time, plan_t.end_time");
+ params.put("viewSql", dataSet.getQuerySql());
+ StringBuilder whereSql = new StringBuilder();
+ String startStr = DateUtils.format(startTime, DateUtils.DATE_NUMBER_PATTERN);
+ String endStr = DateUtils.format(endTime, DateUtils.DATE_NUMBER_PATTERN);
+ whereSql.append(" plan_t.start_time <= '")
+ .append(endStr)
+ .append("'")
+ .append(" and plan_t.end_time >= '")
+ .append(startStr)
+ .append("'");
+ params.put("whereSql", whereSql.toString());
+ return params;
+ }
}
\ No newline at end of file
--
Gitblit v1.9.3