From 1d99d3c3725a2a27963c6bfaf020cf8252309745 Mon Sep 17 00:00:00 2001
From: Qiuyi LI <qiuyi.li@gmail.com>
Date: Wed, 28 Jun 2023 16:38:44 +0200
Subject: [PATCH] Fix: When checking SQL injections, make sure that the tested
 string's length also matches keyword's length, otherwise a perfectly normal
 table name "country" will be considered as SQL injection suspect because it
 starts with "count"

---
 .../src/main/java/org/jeecg/common/util/SqlInjectionUtil.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
index 723e1ce44..9b4a44949 100644
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -185,7 +185,7 @@ public class SqlInjectionUtil {
 		//value = value.replaceAll("/\\*.*\\*/","");
 
 		for (int i = 0; i < xssArr.length; i++) {
-			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
+			if ((value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) && value.length() == xssArr[i].trim().length()) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
 				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);