From 335d1821e8500bfee95c145b38dbb61b519c06a7 Mon Sep 17 00:00:00 2001 From: fengshuonan Date: Tue, 30 May 2023 16:33:32 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=907.6.0=E3=80=91=E6=9B=B4=E6=96=B0BaseRe?= =?UTF-8?q?quest=E4=B8=AD=E8=8E=B7=E5=8F=96=E8=87=AA=E5=AE=9A=E4=B9=89?= =?UTF-8?q?=E6=8E=92=E5=BA=8F=E5=AD=97=E6=AE=B5=E7=9A=84sql=E6=8B=BC?= =?UTF-8?q?=E6=8E=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../kernel/rule/pojo/request/BaseRequest.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/pojo/request/BaseRequest.java b/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/pojo/request/BaseRequest.java index 2a9add2b8..240f30dd6 100644 --- a/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/pojo/request/BaseRequest.java +++ b/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/pojo/request/BaseRequest.java @@ -24,7 +24,10 @@ */ package cn.stylefeng.roses.kernel.rule.pojo.request; +import cn.hutool.core.util.ObjectUtil; +import cn.hutool.core.util.StrUtil; import cn.stylefeng.roses.kernel.rule.annotation.ChineseDescription; +import cn.stylefeng.roses.kernel.rule.util.SqlInjectionDetector; import lombok.Data; import java.io.Serializable; @@ -165,4 +168,27 @@ public class BaseRequest implements Serializable { public @interface batchDelete { } + /** + * 获取排序的结尾拼接sql + *

+ * 根据orderBy和sortBy参数,这俩参数均进行过sql注入过滤 + * + * @author fengshuonan + * @since 2023/5/30 16:29 + */ + public String getOrderByLastSql() { + + if (ObjectUtil.isEmpty(this.orderBy) || ObjectUtil.isEmpty(this.sortBy)) { + return StrUtil.EMPTY; + } + + // 检测这俩参数有没有注入风险 + if (SqlInjectionDetector.hasSqlInjection(this.orderBy) || SqlInjectionDetector.hasSqlInjection(this.sortBy)) { + return StrUtil.EMPTY; + } + + // 进行order by语句的拼接 + return " order by " + this.orderBy + " " + this.sortBy + " "; + } + }