diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java b/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java index fd46979e..65dcba4d 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java @@ -1,7 +1,6 @@ package com.ruoyi.common.page; import com.ruoyi.common.utils.StringUtils; -import com.ruoyi.common.utils.sql.SqlUtil; /** * 分页数据 @@ -12,14 +11,11 @@ public class PageDomain { /** 当前记录起始索引 */ private Integer pageNum; - /** 每页显示记录数 */ private Integer pageSize; - /** 排序列 */ private String orderByColumn; /** 排序的方向 "desc" 或者 "asc". */ - private String isAsc; public String getOrderBy() @@ -58,7 +54,7 @@ public class PageDomain public void setOrderByColumn(String orderByColumn) { - this.orderByColumn = SqlUtil.escapeSql(orderByColumn); + this.orderByColumn = orderByColumn; } public String getIsAsc() @@ -68,6 +64,6 @@ public class PageDomain public void setIsAsc(String isAsc) { - this.isAsc = SqlUtil.escapeSql(isAsc); + this.isAsc = isAsc; } } diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java index 38f49215..b31804b6 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java @@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils; public class SqlUtil { /** - * 防止sql注入 替换危险字符 + * 仅支持字母、数字、下划线、空格、逗号(支持多个字段排序) */ - public static String escapeSql(String value) + public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+"; + + /** + * 检查字符,防止注入绕过 + */ + public static String escapeOrderBySql(String value) { - if (StringUtils.isNotEmpty(value)) + if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value)) { - value = value.replaceAll("\\(", ""); - value = value.replaceAll("\\)", ""); + return StringUtils.EMPTY; } return value; } + + /** + * 验证 order by 语法是否符合规范 + */ + public static boolean isValidOrderBySql(String value) + { + return value.matches(SQL_PATTERN); + } } diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java index 4a83cdec..dbfea684 100644 --- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java +++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java @@ -13,6 +13,7 @@ import com.ruoyi.common.page.TableDataInfo; import com.ruoyi.common.page.TableSupport; import com.ruoyi.common.utils.DateUtils; import com.ruoyi.common.utils.StringUtils; +import com.ruoyi.common.utils.sql.SqlUtil; import com.ruoyi.framework.util.ShiroUtils; import com.ruoyi.system.domain.SysUser; @@ -50,7 +51,7 @@ public class BaseController Integer pageSize = pageDomain.getPageSize(); if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize)) { - String orderBy = pageDomain.getOrderBy(); + String orderBy = SqlUtil.escapeOrderBySql(pageDomain.getOrderBy()); PageHelper.startPage(pageNum, pageSize, orderBy); } }