improvement：调优sql关键词过滤方法

2023-08-16 16:37:58 +08:00 · 2023-08-16 16:37:58 +08:00 · a62db61221
commit a62db61221
parent 8104947aec
1 changed files with 18 additions and 32 deletions
--- a/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
+++ b/framework/src/main/java/cn/lili/modules/search/utils/SqlFilter.java
@ -1,8 +1,9 @@
 package cn.lili.modules.search.utils;
-import java.util.Arrays;
+import cn.lili.common.utils.StringUtils;
-import java.util.HashSet;
+
-import java.util.Set;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 /**
 * sql 关键字过滤
@ -15,13 +16,15 @@ import java.util.Set;
 public class SqlFilter {
-    private static final Set<String> SQL_KEYWORDS = new HashSet<>(Arrays.asList(
+
-            "SELECT", "FROM", "WHERE", "AND", "OR", "NOT", "INSERT", "UPDATE", "DELETE", "CREATE",
+    // SQL注入过滤
-            "TABLE", "INDEX", "VIEW", "DROP", "ALTER", "COLUMN", "ADD", "SET", "GROUP", "BY",
+    static final String SQL_KEYWORDS_PATTERN =
-            "HAVING", "ORDER", "ASC", "DESC", "LIKE", "IN", "BETWEEN", "IS", "NULL", "TRUE", "FALSE",
+            "(?i)(SELECT|FROM|WHERE|CONCAT|AND|OR|NOT|INSERT|UPDATE|DELETE|CREATE" +
-            "JOIN", "LEFT", "RIGHT", "INNER", "OUTER", "FULL", "ON", "AS", "DISTINCT", "COUNT",
+            "|TABLE|INDEX|VIEW|DROP|ALTER|COLUMN|ADD|SET|GROUP|BY" +
-            "MAX", "MIN", "SUM", "AVG", "IF", "RAND", "UPDATEXML", "EXTRACTVALUE", "LOAD_FILE", "SLEEP","OFFSET"
+            "|HAVING|ORDER|ASC|DESC|LIKE|IN|BETWEEN|IS|NULL|TRUE|FALSE" +
-    ));
+            "|JOIN|LEFT|RIGHT|INNER|OUTER|FULL|ON|AS|DISTINCT|COUNT" +
            "|MAX|MIN|SUM|AVG|IF|RAND|UPDATEXML|EXTRACTVALUE|LOAD_FILE|SLEEP|OFFSET)";
    static final Pattern keywordPattern = Pattern.compile(SQL_KEYWORDS_PATTERN, Pattern.CASE_INSENSITIVE);
    /**
@ -31,29 +34,12 @@ public class SqlFilter {
     * @return
     */
    public static Boolean hit(String sql) {
-        String[] tokens = sql.split("\\s+");
+        if (StringUtils.isEmpty(sql)) {
-        for (String token : tokens) {
+            return false;
            if (!SQL_KEYWORDS.contains(token.toUpperCase())) {
                return true;
            }
        }
-        return false;
+        Matcher matcher = keywordPattern.matcher(sql);
        return matcher.find();
    }
-    /**
+
     * 关键字替换
     *
     * @param sql
     * @return
     */
    public static String filterSql(String sql) {
        String[] tokens = sql.split("\\s+");
        StringBuilder filteredSql = new StringBuilder();
        for (String token : tokens) {
            if (!SQL_KEYWORDS.contains(token.toUpperCase())) {
                filteredSql.append(token).append(" ");
            }
        }
        return filteredSql.toString().trim();
    }
 }