From 03864ca1a9002472872ecf2d39e97c448dc679e9 Mon Sep 17 00:00:00 2001 From: Chopper711 Date: Thu, 24 Aug 2023 15:49:14 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E9=83=A8=E5=88=86sql=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=E4=BC=9A=E5=AF=BC=E8=87=B4=E4=B8=80=E4=BA=9B=E9=97=AE=E9=A2=98?= =?UTF-8?q?=E5=A4=84=E7=90=86=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/cn/lili/modules/search/utils/SqlFilter.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java b/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java index 3b266357..5b88478e 100644 --- a/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java +++ b/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java @@ -19,11 +19,13 @@ public class SqlFilter { // SQL注入过滤 static final String SQL_KEYWORDS_PATTERN = - "(?i)(SELECT|FROM|WHERE|CONCAT|AND|OR|NOT|INSERT|UPDATE|DELETE|CREATE" + - "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" + - "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" + - "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" + - "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)"; + "(?i)(SELECT|FROM|WHERE|CONCAT|AND|NOT|INSERT|UPDATE|DELETE" + + "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" + + "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" + + "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" + + "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)"; + // OR 影响排序字段 sort,所以暂时不过滤 + // CREATE 影响常用排序字段, CREATE_TIME,所以暂时不过滤 static final Pattern keywordPattern = Pattern.compile(SQL_KEYWORDS_PATTERN, Pattern.CASE_INSENSITIVE);