修复 国家信息安全漏洞共享平台(CNVD) 测试出的可能出现Sql 注入的问题

crmeb/crmeb-service/src/main/resources/mapper/finance/UserFundsMonitorMapper.xml

@@ -20,6 +20,6 @@
                 and  u.brokerage_price >= #{min, jdbcType=DECIMAL}
             </if>
          GROUP  BY u.uid
-         order by total_brokerage ${sort}
+         order by total_brokerage #{sort}
     </select>
 </mapper>

crmeb/crmeb-service/src/main/resources/mapper/system/SystemStoreMapper.xml

@@ -3,7 +3,7 @@
 <mapper namespace="com.zbkj.service.dao.SystemStoreDao">
 
     <select id="getNearList" resultType="com.zbkj.common.vo.SystemStoreNearVo" parameterType="com.zbkj.common.request.StoreNearRequest">
-        SELECT *, (round(6367000 * 2 * asin(sqrt(pow(sin(((latitude * pi()) / 180 - (${latitude} * pi()) / 180) / 2), 2) + cos((${latitude} * pi()) / 180) * cos((latitude * pi()) / 180) * pow(sin(((longitude * pi()) / 180 - (${longitude} * pi()) / 180) / 2), 2))))) AS distance
+        SELECT *, (round(6367000 * 2 * asin(sqrt(pow(sin(((latitude * pi()) / 180 - (#{latitude} * pi()) / 180) / 2), 2) + cos((#{latitude} * pi()) / 180) * cos((latitude * pi()) / 180) * pow(sin(((longitude * pi()) / 180 - (#{longitude} * pi()) / 180) / 2), 2))))) AS distance
         FROM eb_system_store WHERE is_show = 1 and is_del = 0
          ORDER BY distance asc
     </select>

crmeb/crmeb-service/src/main/resources/mapper/user/UserMapper.xml

@@ -11,7 +11,7 @@
         <if test="keywords != '' and keywords != null ">
             and ( u.real_name like #{keywords, jdbcType=VARCHAR} or u.nickname like #{keywords, jdbcType=VARCHAR})
         </if>
-        ORDER BY ${sortKey} ${sortValue}
+        ORDER BY #{sortKey} #{sortValue}
     </select>
 
     <select id="findAdminList" resultType="com.zbkj.common.model.user.User" parameterType="Map">
@@ -24,32 +24,32 @@
         </if>
         where 1 = 1
         <if test="isPromoter != null and isPromoter !='' or isPromoter == 0 ">
-            and u.is_promoter = ${isPromoter}
+            and u.is_promoter = #{isPromoter}
         </if>
         <if test="groupId != null and groupId !='' ">
-            and u.group_id in (${groupId})
+            and u.group_id in (#{groupId})
         </if>
          <if test="tagIdSql != null and tagIdSql !='' ">
             and ${tagIdSql}
         </if>
         <if test="level != null and level !='' ">
-            and u.level in (${level})
+            and u.level in (#{level})
         </if>
         <if test="sex != null and sex !='' or sex == 0">
-            and u.sex = ${sex}
+            and u.sex = #{sex}
         </if>
         <if test="country != null and country !='' ">
             and u.country = #{country}
         </if>
         <if test="addres != null and addres !='' ">
-            and u.addres like '%${addres}'
+            and u.addres like concat('%',#{addres}, '%')
         </if>
         <if test="payCount != null and payCount !='' or payCount == 0 ">
             <if test="payCount &lt;= 0">
                 and u.pay_count = 0
             </if>
             <if test="payCount > 0">
-                and u.pay_count >= ${payCount}
+                and u.pay_count >= #{payCount}
             </if>
         </if>
         <if test="status != null and status !='' or status == 0 ">