mirror of https://github.com/jeecgboot/jeecg-boot
Fix: When checking SQL injections, make sure that the tested string's length also matches keyword's length, otherwise a perfectly normal table name "country" will be considered as SQL injection suspect because it starts with "count"
parent
78a70c0e8c
commit
1d99d3c372
|
@ -185,7 +185,7 @@ public class SqlInjectionUtil {
|
|||
//value = value.replaceAll("/\\*.*\\*/","");
|
||||
|
||||
for (int i = 0; i < xssArr.length; i++) {
|
||||
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
|
||||
if ((value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) && value.length() == xssArr[i].trim().length()) {
|
||||
log.error("请注意,存在SQL注入关键词---> {}", xssArr[i]);
|
||||
log.error("请注意,值可能存在SQL注入风险!---> {}", value);
|
||||
throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value);
|
||||
|
|
Loading…
Reference in New Issue