为排序字段添加白名单验证

2026-01-30 11:44:08 +08:00
parent b8758fb3f2
commit 1065be3c47
1 changed files with 7 additions and 2 deletions
--- a/jshERP-boot/src/main/resources/mapper_xml/DepotHeadMapperEx.xml
+++ b/jshERP-boot/src/main/resources/mapper_xml/DepotHeadMapperEx.xml
@@ -276,7 +276,12 @@
            order by oper_time desc,number desc
        </if>
        <if test="column != 'createTime'">
-            order by ${column} ${order}
+            <if test="column == 'barCode' or column == 'operNumber' or column == 'unitPrice' or column == 'allPrice' or column == 'taxMoney'">
+                order by ${column}
+                <if test="order == 'asc' or order == 'desc'">
+                    ${order}
+                </if>
+            </if>
        </if>
        <if test="offset != null and rows != null">
            limit #{offset},#{rows}