ruoyi
/
RuoYi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pre Merge pull request !403 from yi-l-i-yi-li/master

This commit is contained in:
yi-l-i-yi-li 2022-08-27 03:58:28 +00:00 committed by Gitee
parent 5a3714e9bc b61663f25f
commit 53425793e6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
View File

@ -12,8 +12,10 @@ public class SqlUtil
{
/**
* 定义常用的 sql关键字
* 删除管道符 "|"左边的空格空格会导致sql注入
* chr |mid |char |and | 去掉空格容易引起误报
*/
public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
public static String SQL_REGEX = "select|insert|delete|update|drop|count|exec|chr |mid |master|truncate|char |and |declare";
/**
* 仅支持字母数字下划线空格逗号小数点支持多个字段排序

4
ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java
View File

@ -199,7 +199,7 @@ public class GenController extends BaseController
{
try
{
SqlUtil.filterKeyword(sql);
//SqlUtil.filterKeyword(sql);
List<SQLStatement> sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql);
List<String> tableNames = new ArrayList<>();
for (SQLStatement sqlStatement : sqlStatements)
@ -207,6 +207,8 @@ public class GenController extends BaseController
if (sqlStatement instanceof MySqlCreateTableStatement)
{
MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement;
//关键字过滤
SqlUtil.filterKeyword(createTableStatement.toString());
if (genTableService.createTable(createTableStatement.toString()))
{
String tableName = createTableStatement.getTableName().replaceAll("`", "");