fix: 部分sql过滤会导致一些问题处理。

2023-08-24 15:49:14 +08:00 · 2023-08-24 15:49:14 +08:00 · 03864ca1a9
commit 03864ca1a9
parent 1798916bf9
1 changed files with 7 additions and 5 deletions
--- a/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
+++ b/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
@ -19,11 +19,13 @@ public class SqlFilter {

    // SQL注入过滤
    static final String SQL_KEYWORDS_PATTERN =
-            "(?i)(SELECT|FROM|WHERE|CONCAT|AND|OR|NOT|INSERT|UPDATE|DELETE|CREATE" +
-            "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" +
-            "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" +
-            "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" +
-            "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)";
+            "(?i)(SELECT|FROM|WHERE|CONCAT|AND|NOT|INSERT|UPDATE|DELETE" +
+                    "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" +
+                    "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" +
+                    "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" +
+                    "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)";
+    // OR 影响排序字段 sort，所以暂时不过滤
+    // CREATE 影响常用排序字段， CREATE_TIME，所以暂时不过滤
    static final Pattern keywordPattern = Pattern.compile(SQL_KEYWORDS_PATTERN, Pattern.CASE_INSENSITIVE);