检查字符，防止注入绕过

2019-02-28 13:03:02 +08:00
parent 9c50dd8c2d
commit 8a37d2ae24
3 changed files with 21 additions and 12 deletions
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
@@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils;
 public class SqlUtil
 {
    /**
-     * 防止sql注入 替换危险字符
+     * 仅支持字母、数字、下划线、空格、逗号（支持多个字段排序）
     */
-    public static String escapeSql(String value)
+    public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+";
+
+    /**
+     * 检查字符，防止注入绕过
+     */
+    public static String escapeOrderBySql(String value)
    {
-        if (StringUtils.isNotEmpty(value))
+        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
        {
-            value = value.replaceAll("\\(", "");
-            value = value.replaceAll("\\)", "");
+            return StringUtils.EMPTY;
        }
        return value;
    }
+
+    /**
+     * 验证 order by 语法是否符合规范
+     */
+    public static boolean isValidOrderBySql(String value)
+    {
+        return value.matches(SQL_PATTERN);
+    }
 }