--重构表字典逻辑，深度解决SQL注入漏洞问题(修复导致的bug修复)--

2025-12-26 08:16:41 +08:00 · 2023-09-05 22:59:08 +08:00
parent 492966cb19
commit 5a4d9cac86
2 changed files with 65 additions and 15 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/CommonUtils.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/CommonUtils.java
@ -6,6 +6,7 @@ import com.baomidou.dynamic.datasource.spring.boot.autoconfigure.DynamicDataSour
 import com.baomidou.mybatisplus.annotation.DbType;
 import com.baomidou.mybatisplus.extension.toolkit.JdbcUtils;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
 import org.jeecg.common.constant.ServiceNameConstants;
@ -26,6 +27,7 @@ import java.io.InputStream;
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
 import java.sql.SQLException;
+import java.util.List;
 import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@ -145,7 +147,7 @@ public class CommonUtils {
     * @param bizPath  自定义路径
     * @return
     */
-    public static String uploadLocal(MultipartFile mf,String bizPath,String uploadpath){
+    public static String uploadLocal(MultipartFile mf, String bizPath, String uploadpath){
        try {
            //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
            FileTypeFilter.fileTypeFilter(mf);
@ -272,7 +274,7 @@ public class CommonUtils {
        if(db==null){
            return null;
        }
-        DriverManagerDataSource ds = new DriverManagerDataSource ();
+        DriverManagerDataSource ds = new DriverManagerDataSource();
        ds.setDriverClassName(db.getDriverClassName());
        ds.setUrl(db.getUrl());
        ds.setUsername(db.getUsername());
@ -392,4 +394,47 @@ public class CommonUtils {
        return target;
    }

+    /**
+     * 将list集合以分割符的方式进行分割
+     * @param list      String类型的集合文本
+     * @param separator 分隔符
+     * @return
+     */
+    public static String getSplitText(List<String> list, String separator) {
+        if (null != list && list.size() > 0) {
+            return StringUtils.join(list, separator);
+        }
+        return "";
+    }
+ 
+    /**
+     * 通过table的条件SQL
+     *
+     * @param tableSql sys_user where name = '1212'
+     * @return name = '1212'
+     */
+    public static String getFilterSqlByTableSql(String tableSql) {
+        if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
+            String[] arr = tableSql.split(" (?i)where ");
+            if (arr != null && oConvertUtils.isNotEmpty(arr[1])) {
+                return arr[1];
+            }
+        }
+        return "";
+    }
+
+    /**
+     * 通过table获取表名
+     *
+     * @param tableSql sys_user where name = '1212'
+     * @return sys_user
+     */
+    public static String getTableNameByTableSql(String tableSql) {
+        if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
+            String[] arr = tableSql.split(" (?i)where ");
+            return arr[0].trim();
+        } else {
+            return tableSql;
+        }
+    }
 }