From 2e2cc04f5c22f0c9bfeb3447cf24978f3b42d4b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=A3=E5=9C=A3=E5=8D=8E?= <752718920@qq.com>
Date: Mon, 18 Oct 2021 23:51:18 +0800
Subject: [PATCH] =?UTF-8?q?=E6=8E=92=E5=BA=8F=E4=BC=98=E5=8C=96=EF=BC=8C?=
 =?UTF-8?q?=E9=98=B2sql=E6=B3=A8=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../jsh/erp/controller/MaterialController.java   |  2 +-
 .../main/java/com/jsh/erp/utils/StringUtil.java  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
index 6010c23c..d2715bdf 100644
--- a/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
@@ -559,7 +559,7 @@ public class MaterialController {
                 idList = materialService.getListByParentId(categoryId);
             }
             List<MaterialVo4Unit> dataList = materialService.getListWithStock(depotId, idList, StringUtil.toNull(materialParam),
-                    column, order, (currentPage-1)*pageSize, pageSize);
+                    StringUtil.safeSqlParse(column), StringUtil.safeSqlParse(order), (currentPage-1)*pageSize, pageSize);
             int total = materialService.getListWithStockCount(depotId, idList, StringUtil.toNull(materialParam));
             MaterialVo4Unit materialVo4Unit= materialService.getTotalStockAndPrice(depotId, idList, StringUtil.toNull(materialParam));
             map.put("total", total);
diff --git a/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java b/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
index cbf96963..07574542 100644
--- a/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
@@ -19,6 +19,13 @@ public class StringUtil {
 
     private static String DEFAULT_FORMAT = "yyyy-MM-dd HH:mm:ss";
 
+    public final static String regex = "'|#|%|;|--| and | and|and | or | or|or | not | not|not " +
+            "| use | use|use | insert | insert|insert | delete | delete|delete | update | update|update " +
+            "| select | select|select | count | count|count | group | group|group | union | union|union " +
+            "| create | create|create | drop | drop|drop | truncate | truncate|truncate | alter | alter|alter " +
+            "| grant | grant|grant | execute | execute|execute | exec | exec|exec | xp_cmdshell | xp_cmdshell|xp_cmdshell " +
+            "| call | call|call | declare | declare|declare | source | source|source | sql | sql|sql ";
+
     public static String filterNull(String str) {
         if (str == null) {
             return "";
@@ -266,6 +273,15 @@ public class StringUtil {
         }
     }
 
+    /**
+     * sql注入过滤，保障sql的安全执行
+     * @param originStr
+     * @return
+     */
+    public static String safeSqlParse(String originStr){
+        return originStr.replaceAll("(?i)" + regex, "");
+    }
+
     public static void main(String[] args) {
         int i = 10/3;
         System.out.println(i);