improvement：调优sql关键词过滤方法

2023-08-16 16:37:58 +08:00 · 2023-08-16 16:37:58 +08:00 · a62db61221
commit a62db61221
parent 8104947aec
1 changed files with 18 additions and 32 deletions
--- a/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
+++ b/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
@ -1,8 +1,9 @@
 package cn.lili.modules.search.utils;

-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
+import cn.lili.common.utils.StringUtils;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 /**
 * sql 关键字过滤
@ -15,13 +16,15 @@ import java.util.Set;

 public class SqlFilter {

-    private static final Set<String> SQL_KEYWORDS = new HashSet<>(Arrays.asList(
-            "SELECT", "FROM", "WHERE", "AND", "OR", "NOT", "INSERT", "UPDATE", "DELETE", "CREATE",
-            "TABLE", "INDEX", "VIEW", "DROP", "ALTER", "COLUMN", "ADD", "SET", "GROUP", "BY",
-            "HAVING", "ORDER", "ASC", "DESC", "LIKE", "IN", "BETWEEN", "IS", "NULL", "TRUE", "FALSE",
-            "JOIN", "LEFT", "RIGHT", "INNER", "OUTER", "FULL", "ON", "AS", "DISTINCT", "COUNT",
-            "MAX", "MIN", "SUM", "AVG", "IF", "RAND", "UPDATEXML", "EXTRACTVALUE", "LOAD_FILE", "SLEEP","OFFSET"
-    ));
+
+    // SQL注入过滤
+    static final String SQL_KEYWORDS_PATTERN =
+            "(?i)(SELECT|FROM|WHERE|CONCAT|AND|OR|NOT|INSERT|UPDATE|DELETE|CREATE" +
+            "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" +
+            "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" +
+            "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" +
+            "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)";
+    static final Pattern keywordPattern = Pattern.compile(SQL_KEYWORDS_PATTERN, Pattern.CASE_INSENSITIVE);


    /**
@ -31,29 +34,12 @@ public class SqlFilter {
     * @return
     */
    public static Boolean hit(String sql) {
-        String[] tokens = sql.split("\\s+");
-        for (String token : tokens) {
-            if (!SQL_KEYWORDS.contains(token.toUpperCase())) {
-                return true;
-            }
+        if (StringUtils.isEmpty(sql)) {
+            return false;
        }
-        return false;
+        Matcher matcher = keywordPattern.matcher(sql);
+        return matcher.find();
    }

-    /**
-     * 关键字替换
-     *
-     * @param sql
-     * @return
-     */
-    public static String filterSql(String sql) {
-        String[] tokens = sql.split("\\s+");
-        StringBuilder filteredSql = new StringBuilder();
-        for (String token : tokens) {
-            if (!SQL_KEYWORDS.contains(token.toUpperCase())) {
-                filteredSql.append(token).append(" ");
-            }
-        }
-        return filteredSql.toString().trim();
-    }
+
 }