修复sql注入漏洞

2 years ago · 68b716d735
3 changed files with 20 additions and 20 deletions
--- a/esua-epdc/epdc-module/epdc-content-security/epdc-content-security-server/src/main/resources/mapper/CheckRecordsDao.xml
+++ b/esua-epdc/epdc-module/epdc-content-security/epdc-content-security-server/src/main/resources/mapper/CheckRecordsDao.xml
@ -47,7 +47,7 @@
        left join epdc_check_code st on ecr.SUGGESTION=st.`CODE`
        where ecr.DEL_FLAG=0
            <if test="name != null and name != ''">
-                and ecr.name like '%${name}%'
+                and ecr.name like CONCAT('%', #{name}, '%')
            </if>
            <if test="category != null and category != ''">
                and ecr.CATEGORY = #{category}
@ -56,16 +56,16 @@
 <!--                and evr.DECISION = #{decision}-->
 <!--            </if>-->
            <if test="content != null and content != ''">
-                and ecr.CONTENT like '%${content}%'
+                and ecr.CONTENT like  CONCAT('%', #{content}, '%')
            </if>
            <if test="module != null and module != ''">
-                and mo.DESCRIPTION like '%${module}%'
+                and mo.DESCRIPTION like  CONCAT('%', #{module}, '%')
            </if>
            <if test="systemStatus != null and systemStatus != ''">
                and ecr.SYSTEM = #{systemStatus}
            </if>
            <if test="mobile != null and mobile != ''">
-                and ecr.mobile like '%${mobile}%'
+                and ecr.mobile like CONCAT('%', #{namobileme}, '%')
            </if>
            <if test="suggestion != null and suggestion != ''">
                and ecr.SUGGESTION = #{suggestion}
--- a/esua-epdc/epdc-module/epdc-content-security/epdc-content-security-server/src/main/resources/mapper/ViolationsRecordsDao.xml
+++ b/esua-epdc/epdc-module/epdc-content-security/epdc-content-security-server/src/main/resources/mapper/ViolationsRecordsDao.xml
@ -43,7 +43,7 @@
 	left join epdc_check_code la on evr.LABEL=la.`CODE`
 	where evr.DEL_FLAG=0
        <if test="name != null and name != ''">
-            and evr.name like '%${name}%'
+            and evr.name like CONCAT('%', #{name}, '%')
        </if>
        <if test="category != null and category != ''">
            and evr.CATEGORY = #{category}
@ -52,13 +52,13 @@
            and evr.DECISION = #{decision}
        </if>
        <if test="content != null and content != ''">
-            and evr.CONTENT like '%${content}%'
+            and evr.CONTENT like CONCAT('%', #{content}, '%')
        </if>
        <if test="module != null and module != ''">
-            and mo.DESCRIPTION like '%${module}%'
+            and mo.DESCRIPTION like  CONCAT('%', #{module}, '%')
        </if>
        <if test="mobile != null and mobile != ''">
-            and evr.mobile like '%${mobile}%'
+            and evr.mobile like  CONCAT('%', #{mobile}, '%')
        </if>
        <if test="startTime != null and startTime != '' and endTime != null and endTime != ''">
            AND DATE_FORMAT( evr.CREATED_TIME, '%Y-%m-%d' ) BETWEEN #{startTime} AND #{endTime}
--- a/esua-epdc/epdc-module/epdc-events/epdc-events-server/src/main/resources/mapper/item/ItemDao.xml
+++ b/esua-epdc/epdc-module/epdc-events/epdc-events-server/src/main/resources/mapper/item/ItemDao.xml
@ -729,7 +729,7 @@
            AND item.PEOPLE_FLAG = #{peopleFlag}
        </if>
        <if test="serialNum != null and serialNum != ''">
-            and item.SERIAL_NUM like '%${serialNum}%'
+            and item.SERIAL_NUM like CONCAT('%', #{serialNum}, '%')
        </if>
        <if test="itemState != null and itemState != ''">
            AND item.ITEM_STATE = #{itemState}
@ -2095,7 +2095,7 @@
            AND t1.MOBILE like concat('%', #{mobile}, '%')
        </if>
        <if test="serialNum != null and serialNum != ''">
-            and t1.SERIAL_NUM like '%${serialNum}%'
+            and t1.SERIAL_NUM like  CONCAT('%', #{serialNum}, '%')
        </if>
        <if test="appealSource != null and appealSource != ''">
            and t1.APPEAL_SOURCE = #{appealSource}
@ -2250,10 +2250,10 @@
            and i.NICK_NAME = #{nickName}
        </if>
        <if test="itemContent != null and itemContent != ''">
-            and i.ITEM_CONTENT like '%${itemContent}%'
+            and i.ITEM_CONTENT like CONCAT('%', #{itemContent}, '%')
        </if>
        <if test="serialNum != null and serialNum != ''">
-            and i.SERIAL_NUM like '%${serialNum}%'
+            and i.SERIAL_NUM like CONCAT('%', #{serialNum}, '%')
        </if>
        <if test="evaluationScore != null and evaluationScore != ''">
            and i.EVALUATION_SCORE = #{evaluationScore}
@ -2369,10 +2369,10 @@
            and i.NICK_NAME = #{nickName}
        </if>
        <if test="itemContent != null and itemContent != ''">
-            and i.ITEM_CONTENT like '%${itemContent}%'
+            and i.ITEM_CONTENT like  CONCAT('%', #{itemContent}, '%')
        </if>
        <if test="serialNum != null and serialNum != ''">
-            and i.SERIAL_NUM like '%${serialNum}%'
+            and i.SERIAL_NUM like CONCAT('%', #{serialNum}, '%')
        </if>
        <if test="evaluationScore != null and evaluationScore != ''">
            and i.EVALUATION_SCORE = #{evaluationScore}
@ -2498,7 +2498,7 @@
                        AND item.MOBILE like concat('%', #{mobile}, '%')
                    </if>
                    <if test="serialNum != null and serialNum != ''">
-                        and item.SERIAL_NUM like '%${serialNum}%'
+                        and item.SERIAL_NUM like CONCAT('%', #{serialNum}, '%')
                    </if>
        ORDER BY
        item.CREATED_TIME DESC,
@ -2529,10 +2529,10 @@
                and process.STATE=11
                and process.CLOSE_CHECK_ID=#{deptId}
        <if test="itemContent != null and itemContent != ''">
-            and i.ITEM_CONTENT like '%${itemContent}%'
+            and i.ITEM_CONTENT like CONCAT('%', #{itemContent}, '%')
        </if>
        <if test="userName != null and userName != ''">
-            and i.NICK_NAME like '%${userName}%'
+            and i.NICK_NAME like  CONCAT('%', #{userName}, '%')
        </if>
        <if test="startTime != null and startTime != '' and endTime != null and endTime != ''">
            AND DATE_FORMAT( i.CREATED_TIME, '%Y-%m-%d' ) BETWEEN #{startTime} AND #{endTime}
@ -2736,16 +2736,16 @@
            AND i.item_state = '10'
        </if>
        <if test="serialNum != null and serialNum != ''">
-            and i.serial_num like '%${serialNum}%'
+            and i.serial_num like CONCAT('%', #{serialNum}, '%')
        </if>
        <if test="itemContent != null and itemContent != ''">
-            and i.item_content like '%${itemContent}%'
+            and i.item_content like CONCAT('%', #{itemContent}, '%')
        </if>
        <if test="mobile != null and mobile != ''">
            and i.mobile = #{mobile}
        </if>
        <if test="nickName != null and nickName != ''">
-            and i.nick_name like '%${nickName}%'
+            and i.nick_name like  CONCAT('%', #{nickName}, '%')
        </if>
        <if test="deptId != null and deptId != ''">
            AND i.all_dept_ids LIKE concat('%', trim(#{deptId}), '%')