orderBy兼容

2025-07-11 00:02:22 +08:00 · 2023-03-28 18:36:40 +08:00 · 2023-03-28 18:36:40 +08:00 · 1bdb91325a
commit 1bdb91325a
parent dfa9baea93
2 changed files with 62 additions and 2 deletions
--- a/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java
+++ b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java
@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2011-2022, baomidou (jobob@qq.com).
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.yulichang.toolkit;
+
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/**
+ * SQL 注入验证工具类
+ *
+ * @author hubin
+ * @since 2021-08-15
+ */
+@SuppressWarnings("all")
+public class MPJSqlInjectionUtils {
+    /**
+     * SQL语法检查正则：符合两个关键字（有先后顺序）才算匹配
+     */
+    private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
+        "\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)", Pattern.CASE_INSENSITIVE);
+    /**
+     * 使用'、;或注释截断SQL检查正则
+     */
+    private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE);
+
+    /**
+     * 检查参数是否存在 SQL 注入
+     *
+     * @param value 检查参数
+     * @return true 非法 false 合法
+     */
+    public static boolean check(String value) {
+        Objects.requireNonNull(value);
+        // 处理是否包含SQL注释字符 || 检查是否包含SQL注入敏感字符
+        return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
+    }
+
+    /**
+     * 刪除字段转义符单引号双引号
+     *
+     * @param text 待处理字段
+     * @return
+     */
+    public static String removeEscapeCharacter(String text) {
+        Objects.nonNull(text);
+        return text.replaceAll("\"", "").replaceAll("'", "");
+    }
+}
--- a/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java
+++ b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java
@ -17,7 +17,6 @@ package com.github.yulichang.toolkit;

 import com.baomidou.mybatisplus.core.toolkit.ArrayUtils;
 import com.baomidou.mybatisplus.core.toolkit.StringPool;
-import com.baomidou.mybatisplus.core.toolkit.sql.SqlInjectionUtils;
 import com.baomidou.mybatisplus.core.toolkit.sql.StringEscape;
 import com.baomidou.mybatisplus.core.toolkit.support.BiIntFunction;

@ -595,7 +594,7 @@ public final class MPJStringUtils {
     * @param str 字符串
     */
    public static String sqlInjectionReplaceBlank(String str) {
-        if (SqlInjectionUtils.check(str)) {
+        if (MPJSqlInjectionUtils.check(str)) {
            /**
             * 过滤sql黑名单字符，存在 SQL 注入，去除空白内容
             */