center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

fix: sql注入排除减号

Browse Source
This commit is contained in:
junjie 2021-08-04 16:43:00 +08:00
parent 2f06f3720e
commit 05e9f8274e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
View File

@ -215,7 +215,7 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
} }
public static boolean checkSqlInjection(Object obj){ public static boolean checkSqlInjection(Object obj){
Pattern pattern= Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+|\\-).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)" + Pattern pattern= Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)" +
"|(.*\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b.*)"); "|(.*\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b.*)");
Matcher matcher=pattern.matcher(obj.toString().toLowerCase()); Matcher matcher=pattern.matcher(obj.toString().toLowerCase());
return matcher.find(); return matcher.find();