Administrator пре 2 година
родитељ
комит
1c0a4f4c74

+ 68 - 0
mhotel/src/com/happy/Until/SqlUtil.java

@@ -0,0 +1,68 @@
+package com.happy.Until;
+
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * sql操作工具类
+ * 
+ * @author xieli
+ */
+public class SqlUtil
+{
+    /**
+     * 定义常用的 sql关键字(未检测|or |and)
+     */
+    public static String SQL_REGEX = "extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare  |+|user()";
+
+    /**
+     * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序)
+     */
+    public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";
+
+    /**
+     * 限制orderBy最大长度
+     */
+    private static final int ORDER_BY_MAX_LENGTH = 500;
+
+    /**
+     * 检查字符,防止注入绕过
+     */
+    public static String escapeOrderBySql(String value)
+    {
+        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
+        {
+            throw new RuntimeException("参数不符合规范,不能进行查询");
+        }
+        if (StringUtils.length(value) > ORDER_BY_MAX_LENGTH)
+        {
+            throw new RuntimeException("参数已超过最大限制,不能进行查询");
+        }
+        return value;
+    }
+
+    /**
+     * 验证 order by 语法是否符合规范
+     */
+    public static boolean isValidOrderBySql(String value)
+    {
+        return value.matches(SQL_PATTERN);
+    }
+
+    /**
+     * SQL关键字检查,防止sql注入
+     */
+    public static void filterKeyword(String value) {
+        if (StringUtils.isEmpty(value))
+        {
+            return;
+        }
+        String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
+        for (String sqlKeyword : sqlKeywords)
+        {
+            if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1)
+            {
+                throw new RuntimeException("参数存在SQL注入风险");
+            }
+        }
+    }
+}

+ 8 - 1
mhotel/src/com/happy/dao/impl/BookImplDao.java

@@ -4,6 +4,7 @@ import com.happy.Model.Booking;
 import com.happy.Model.Booking;
 import com.happy.Model.House;
 import com.happy.Until.Func;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.BookDao;
 import com.happy.dto.BookTypeEto;
@@ -217,6 +218,8 @@ public class BookImplDao implements BookDao {
 
     @Override
     public List<Booking> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
+
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = "SELECT a.*,b.name hotel_township_name FROM (select "+selectCol+" from booking) a left join hotel_dict b on a.hotel_township = b.id WHERE 1=1 "+sqlx+" ORDER BY create_time DESC limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -230,6 +233,7 @@ public class BookImplDao implements BookDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM`booking` where 1=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -237,7 +241,8 @@ public class BookImplDao implements BookDao {
 
     @Override
     public List<Booking> queryList(String sqlx) {
-            String sql = "SELECT "+selectCol+",case when order_status=1 then '待支付' when order_status=2 then '已支付' when order_status=3 then '待入住' when order_status=4 then '已入住' when order_status=5 then '已消费' when order_status=6 then '支付超时' when order_status=7 then '已取消' when order_status=8 then '已退单' when order_status=9 then '已退款' else '无状态' end order_name FROM `booking` WHERE 1=1 "+sqlx;
+        SqlUtil.filterKeyword(sqlx);
+        String sql = "SELECT "+selectCol+",case when order_status=1 then '待支付' when order_status=2 then '已支付' when order_status=3 then '待入住' when order_status=4 then '已入住' when order_status=5 then '已消费' when order_status=6 then '支付超时' when order_status=7 then '已取消' when order_status=8 then '已退单' when order_status=9 then '已退款' else '无状态' end order_name FROM `booking` WHERE 1=1 "+sqlx;
         List<Booking> list = null;
         try{
             list = namedParameterJdbcTemplate.query(sql, new BeanPropertyRowMapper<>(Booking.class));
@@ -250,6 +255,7 @@ public class BookImplDao implements BookDao {
 
     @Override
     public Double sumAccount(String sqlx){
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select sum(pay_account) pay_account from booking where is_delete=1"+sqlx;
         List<Booking> list = null;
         try{
@@ -263,6 +269,7 @@ public class BookImplDao implements BookDao {
 
     @Override
     public BookTypeEto getBookStatusSum(String sqlx){
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select ifnull(sum(case when order_status = 2 then 1 else 0 end),0) pendingOrderSum,count(1) orderSum,ifnull(sum(case when  order_status = 5 then 1 else 0 end),0) consumerOrderSum,ifnull(sum(case when  order_status = 5 then pay_account else 0 end),0) sumAccount from booking where 1=1"+sqlx;
         List<BookTypeEto> list = null;
         try{