Fix: When checking SQL injections, make sure that the tested string's length also matches keyword's length, otherwise a perfectly normal table name "country" will be considered as SQL injection suspect because it starts with "count"

2023-06-28 16:38:44 +02:00 · 2023-06-28 16:38:44 +02:00 · 1d99d3c372
parent 78a70c0e8c
commit 1d99d3c372
1 changed files with 1 additions and 1 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@ -185,7 +185,7 @@ public class SqlInjectionUtil {
 		//value = value.replaceAll("/\\*.*\\*/","");

 		for (int i = 0; i < xssArr.length; i++) {
-			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
+			if ((value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) && value.length() == xssArr[i].trim().length()) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
 				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);