Browse Source

防止sql注入

raojiaolong@163.com 2 years ago
parent
commit
3b976d5cab

+ 5 - 0
mhotel/src/com/happy/dao/impl/AdminImplDao.java

@@ -4,6 +4,7 @@ import com.happy.Model.Admin;
 import com.happy.Model.AdminPower;
 import com.happy.Model.weixin.Users;
 import com.happy.Until.Func;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.AdminDao;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -110,6 +111,7 @@ public class AdminImplDao implements AdminDao {
 
     @Override
     public List<Admin> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = selectSql + "where status=1 "+sqlx+" order by id desc limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -125,6 +127,7 @@ public class AdminImplDao implements AdminDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select count(*) from `admin` where status=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -132,6 +135,7 @@ public class AdminImplDao implements AdminDao {
 
     @Override
     public List<Admin> queryList(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = selectSql + " where status=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         List<Admin> list = namedParameterJdbcTemplate.query(sql, sps,
@@ -144,6 +148,7 @@ public class AdminImplDao implements AdminDao {
 
     @Override
     public List<AdminPower> queryTree(String sqlx){
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select * from `admin_power` where status=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         List<AdminPower> list = namedParameterJdbcTemplate.query(sql, sps,

+ 4 - 0
mhotel/src/com/happy/dao/impl/AdminManagerImplDao.java

@@ -3,6 +3,7 @@ package com.happy.dao.impl;
 import com.happy.Model.Admin;
 import com.happy.Model.AdminManager;
 import com.happy.Until.Func;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.AdminManagerDao;
 import org.apache.poi.ss.formula.functions.T;
@@ -123,6 +124,7 @@ public class AdminManagerImplDao implements AdminManagerDao {
 
     @Override
     public List<AdminManager> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = selectSql + " WHERE a.status!=0 "+sqlx+" ORDER BY a.id DESC limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -136,6 +138,7 @@ public class AdminManagerImplDao implements AdminManagerDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM`admin_manager` where status!=0 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -143,6 +146,7 @@ public class AdminManagerImplDao implements AdminManagerDao {
 
     @Override
     public List<AdminManager> queryList(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = selectSql + " WHERE a.status!=0 "+sqlx ;
         List<AdminManager> list = null;
         try{

+ 4 - 0
mhotel/src/com/happy/dao/impl/FileImplInfoDao.java

@@ -1,6 +1,7 @@
 package com.happy.dao.impl;
 
 import com.happy.Model.FileInfo;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.FileInfoDao;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -112,6 +113,7 @@ public class FileImplInfoDao implements FileInfoDao {
 
     @Override
     public List<FileInfo> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = "SELECT * FROM `file_info` WHERE 1=1 "+sqlx+" ORDER BY id DESC limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -125,6 +127,7 @@ public class FileImplInfoDao implements FileInfoDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM `file_info` where 1=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -132,6 +135,7 @@ public class FileImplInfoDao implements FileInfoDao {
 
     @Override
     public List<FileInfo> queryList(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT * FROM `file_info` WHERE 1=1 "+sqlx;
         List<FileInfo> list = null;
         try{

+ 4 - 0
mhotel/src/com/happy/dao/impl/HotelDictImplDao.java

@@ -3,6 +3,7 @@ package com.happy.dao.impl;
 import com.happy.Model.AdminManager;
 import com.happy.Model.HotelDict;
 import com.happy.Until.Func;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.HotelDictDao;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -106,6 +107,7 @@ public class HotelDictImplDao implements HotelDictDao {
 
     @Override
     public List<HotelDict> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = "SELECT * FROM `hotel_dict` WHERE status=1 "+sqlx+" ORDER BY id DESC limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -119,6 +121,7 @@ public class HotelDictImplDao implements HotelDictDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM`hotel_dict` where status=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -126,6 +129,7 @@ public class HotelDictImplDao implements HotelDictDao {
 
     @Override
     public List<HotelDict> queryList(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT * FROM `hotel_dict` WHERE status=1 "+sqlx;
         List<HotelDict> list = null;
         try{

+ 6 - 1
mhotel/src/com/happy/dao/impl/HotelImplDao.java

@@ -2,6 +2,7 @@ package com.happy.dao.impl;
 
 import com.happy.Model.Hotel;
 import com.happy.Until.Func;
+import com.happy.Until.SqlUtil;
 import com.happy.Until.UUIDUtil;
 import com.happy.dao.HotelDao;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -150,6 +151,7 @@ public class HotelImplDao implements HotelDao {
 
     @Override
     public List<Hotel> queryPage(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = "SELECT * FROM `hotel` WHERE status=1 "+sqlx+" ORDER BY id DESC limit :start,:rows ";
         MapSqlParameterSource sps = new MapSqlParameterSource();
@@ -165,6 +167,7 @@ public class HotelImplDao implements HotelDao {
 //    left join (select manager_id,min(price) min_price from house group by manager_id) b on a.manager_id = b.manager_id  ORDER BY id DESC limit 1,3
     @Override
     public List<Hotel> queryPagePrice(String sqlx, int page, int rows) {
+        SqlUtil.filterKeyword(sqlx);
         int start = (page - 1) * rows;// 每页的起始下标
         String sql = "SELECT a.*,b.min_price,c.hotel_township,d.hotel_township_name, e.h_type_name,c.hotel_name FROM `hotel` a " +
                 "left join (select manager_id,min(price) min_price from house where status=1 group by manager_id) b on a.manager_id = b.manager_id " +
@@ -186,7 +189,7 @@ public class HotelImplDao implements HotelDao {
 //                "left join (select manager_id,min(price) min_price from house group by manager_id) b on a.manager_id = b.manager_id " +
 //                "left join (select manager_id,hotel_township hotel_township from admin_manager group by manager_id) c on a.manager_id = c.manager_id " +
 //                "where status=1 "+sqlx;
-
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM `hotel` a " +
                 "left join (select manager_id,min(price) min_price from house where status=1 group by manager_id) b on a.manager_id = b.manager_id " +
                 "left join (select manager_id,hotel_township hotel_township from admin_manager group by manager_id) c on a.manager_id = c.manager_id " +
@@ -200,6 +203,7 @@ public class HotelImplDao implements HotelDao {
 
     @Override
     public int queryTotal(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT count(*) FROM`hotel` where status=1 "+sqlx;
         MapSqlParameterSource sps = new MapSqlParameterSource();
         return namedParameterJdbcTemplate.queryForInt(sql, sps);
@@ -207,6 +211,7 @@ public class HotelImplDao implements HotelDao {
 
     @Override
     public List<Hotel> queryList(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "SELECT * FROM `hotel`  WHERE status=1   "+sqlx;
         List<Hotel> list = null;
         try{

File diff suppressed because it is too large
+ 6 - 0
mhotel/src/com/happy/dao/impl/HouseImplDao.java


+ 3 - 0
mhotel/src/com/happy/dao/impl/IDCImplDao.java

@@ -1,6 +1,7 @@
 package com.happy.dao.impl;
 
 import com.happy.Model.House;
+import com.happy.Until.SqlUtil;
 import com.happy.dao.IDCDao;
 import com.happy.dto.IDCBookStatusEto;
 import com.happy.dto.IDCHotelEto;
@@ -59,6 +60,7 @@ public class IDCImplDao implements IDCDao {
 
     @Override
     public List<IDCRankEto> getRankBookNumData(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select a.*,@curRank := @curRank + 1 AS rank from (select hotel_name,count(1) book_num from booking where order_status=2 " +sqlx + " group by hotel_id ORDER BY count(1) DESC) a,(SELECT @curRank := 0) r";
         List<IDCRankEto> list = null;
         try{
@@ -72,6 +74,7 @@ public class IDCImplDao implements IDCDao {
 
     @Override
     public List<IDCRankEto> getRankSalesAmountData(String sqlx) {
+        SqlUtil.filterKeyword(sqlx);
         String sql = "select a.*,@curRank := @curRank + 1 AS rank from (select hotel_name,sum(pay_account) salesAmount from booking where order_status=2 "+sqlx+" group by hotel_id ORDER BY sum(pay_account) DESC) a,(SELECT @curRank := 0) r";
         List<IDCRankEto> list = null;
         try{