diff --git a/pom.xml b/pom.xml index 677d0195..554f9557 100644 --- a/pom.xml +++ b/pom.xml @@ -84,6 +84,7 @@ net.mingsoft ms-upgrader + 1.0.16 diff --git a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java index 59b9b283..2ad8b959 100644 --- a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java +++ b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java @@ -55,6 +55,8 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * 动态生成页面,需要后台配置自定义页数据 @@ -378,8 +380,16 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { } catch (IOException e1) { e1.printStackTrace(); } + Map searchMap = BasicUtil.assemblyRequestMap(); + searchMap.forEach((k,v)->{ + //sql注入过滤 + if(sqlFilter(v.toString())){ + searchMap.put(k,""); + } + }); + //查询数量 - int count= contentBiz.getSearchCount(contentModel,fieldValueList,BasicUtil.assemblyRequestMap(),BasicUtil.getAppId(),categoryIds); + int count= contentBiz.getSearchCount(contentModel,fieldValueList,searchMap,BasicUtil.getAppId(),categoryIds); int total = PageUtil.totalPage(count, size); int pageNo = BasicUtil.getInt(ParserUtil.PAGE_NO, 1); @@ -412,7 +422,6 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { page.setPreUrl(preUrl); page.setLastUrl(lastUrl); map.put(ParserUtil.URL, BasicUtil.getUrl()); - Map searchMap = BasicUtil.assemblyRequestMap(); searchMap.put(ParserUtil.PAGE_NO, pageNo); map.put(SEARCH, searchMap); map.put(ParserUtil.PAGE, page); @@ -420,6 +429,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { map.put(ParserUtil.IS_DO,false); //设置动态请求的模块路径 map.put(ParserUtil.MODEL_NAME, "mcms"); + //解析后的内容 String content = ""; try { @@ -437,6 +447,16 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { this.outString(response, content); } + /** + * sql语句检测,存在返回true + * @param str + * @return + */ + public static boolean sqlFilter(String str){ + Pattern pattern= Pattern.compile("\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|;|\\+|'|%)"); + Matcher matcher=pattern.matcher(str); + return matcher.find(); + } private Map get(String key, List fields) { for (Map field : fields) { @@ -472,4 +492,4 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { -} \ No newline at end of file +} diff --git a/src/main/java/net/mingsoft/cms/dao/IContentDao.xml b/src/main/java/net/mingsoft/cms/dao/IContentDao.xml index 25fef61f..05ee0d9c 100644 --- a/src/main/java/net/mingsoft/cms/dao/IContentDao.xml +++ b/src/main/java/net/mingsoft/cms/dao/IContentDao.xml @@ -259,33 +259,33 @@ a.app_id = #{websiteId} - and FIND_IN_SET(content_category_id,'${ids}') + and FIND_IN_SET(content_category_id,#{ids}) - and a.content_title like CONCAT("%",'${map.content_title}',"%") + and a.content_title like CONCAT("%",#{map.content_title},"%") - and a.content_author like CONCAT("%",'${map.content_author}',"%") + and a.content_author like CONCAT("%",#{map.content_author},"%") - and a.content_source like CONCAT("%",'${map.content_source}',"%") + and a.content_source like CONCAT("%",#{map.content_source},"%") - and a.content_type like CONCAT("%",'${map.content_type}',"%") + and a.content_type like CONCAT("%",#{map.content_type},"%") - and a.content_description like CONCAT("%",'${map.content_description}',"%") + and a.content_description like CONCAT("%",#{map.content_description},"%") - and a.content_keyword like CONCAT("%",'${map.content_keyword}',"%") + and a.content_keyword like CONCAT("%",#{map.content_keyword},"%") - and a.content_details like CONCAT("%",'${map.content_details}',"%") + and a.content_details like CONCAT("%",#{map.content_details},"%") - and d.${item.key} like CONCAT("%",'${item.value}',"%") + and d.${item.key} like CONCAT("%",#{item.value},"%") @@ -293,4 +293,4 @@ - \ No newline at end of file +