修复国家信息安全漏洞共享平台(CNVD) 测试出的可能出现Sql 注入的问题

2024-03-11 17:48:50 +08:00
parent 1bab07a1fb
commit 533ec84d35
3 changed files with 9 additions and 9 deletions
--- a/crmeb/crmeb-service/src/main/resources/mapper/finance/UserFundsMonitorMapper.xml
+++ b/crmeb/crmeb-service/src/main/resources/mapper/finance/UserFundsMonitorMapper.xml
@@ -20,6 +20,6 @@
                and  u.brokerage_price >= #{min, jdbcType=DECIMAL}
            </if>
         GROUP  BY u.uid
-         order by total_brokerage ${sort}
+         order by total_brokerage #{sort}
    </select>
 </mapper>
--- a/crmeb/crmeb-service/src/main/resources/mapper/system/SystemStoreMapper.xml
+++ b/crmeb/crmeb-service/src/main/resources/mapper/system/SystemStoreMapper.xml
@@ -3,7 +3,7 @@
 <mapper namespace="com.zbkj.service.dao.SystemStoreDao">
    <select id="getNearList" resultType="com.zbkj.common.vo.SystemStoreNearVo" parameterType="com.zbkj.common.request.StoreNearRequest">
-        SELECT *, (round(6367000 * 2 * asin(sqrt(pow(sin(((latitude * pi()) / 180 - (${latitude} * pi()) / 180) / 2), 2) + cos((${latitude} * pi()) / 180) * cos((latitude * pi()) / 180) * pow(sin(((longitude * pi()) / 180 - (${longitude} * pi()) / 180) / 2), 2))))) AS distance
+        SELECT *, (round(6367000 * 2 * asin(sqrt(pow(sin(((latitude * pi()) / 180 - (#{latitude} * pi()) / 180) / 2), 2) + cos((#{latitude} * pi()) / 180) * cos((latitude * pi()) / 180) * pow(sin(((longitude * pi()) / 180 - (#{longitude} * pi()) / 180) / 2), 2))))) AS distance
        FROM eb_system_store WHERE is_show = 1 and is_del = 0
         ORDER BY distance asc
    </select>
--- a/crmeb/crmeb-service/src/main/resources/mapper/user/UserMapper.xml
+++ b/crmeb/crmeb-service/src/main/resources/mapper/user/UserMapper.xml
@@ -11,7 +11,7 @@
        <if test="keywords != '' and keywords != null ">
            and ( u.real_name like #{keywords, jdbcType=VARCHAR} or u.nickname like #{keywords, jdbcType=VARCHAR})
        </if>
-        ORDER BY ${sortKey} ${sortValue}
+        ORDER BY #{sortKey} #{sortValue}
    </select>
    <select id="findAdminList" resultType="com.zbkj.common.model.user.User" parameterType="Map">
@@ -24,32 +24,32 @@
        </if>
        where 1 = 1
        <if test="isPromoter != null and isPromoter !='' or isPromoter == 0 ">
-            and u.is_promoter = ${isPromoter}
+            and u.is_promoter = #{isPromoter}
        </if>
        <if test="groupId != null and groupId !='' ">
-            and u.group_id in (${groupId})
+            and u.group_id in (#{groupId})
        </if>
         <if test="tagIdSql != null and tagIdSql !='' ">
            and ${tagIdSql}
        </if>
        <if test="level != null and level !='' ">
-            and u.level in (${level})
+            and u.level in (#{level})
        </if>
        <if test="sex != null and sex !='' or sex == 0">
-            and u.sex = ${sex}
+            and u.sex = #{sex}
        </if>
        <if test="country != null and country !='' ">
            and u.country = #{country}
        </if>
        <if test="addres != null and addres !='' ">
-            and u.addres like '%${addres}'
+            and u.addres like concat('%',#{addres}, '%')
        </if>
        <if test="payCount != null and payCount !='' or payCount == 0 ">
            <if test="payCount &lt;= 0">
                and u.pay_count = 0
            </if>
            <if test="payCount > 0">
-                and u.pay_count >= ${payCount}
+                and u.pay_count >= #{payCount}
            </if>
        </if>
        <if test="status != null and status !='' or status == 0 ">