Java Code Examples for org.jeecg.common.util.SqlInjectionUtil#filterContent()

The following examples show how to use org.jeecg.common.util.SqlInjectionUtil#filterContent() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: QueryGenerator.java    From jeecg-cloud with Apache License 2.0 6 votes vote down vote up
public static void doMultiFieldsOrder(QueryWrapper<?> queryWrapper,Map<String, String[]> parameterMap) {
	String column=null,order=null;
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_COLUMN)) {
		column = parameterMap.get(ORDER_COLUMN)[0];
	}
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_TYPE)) {
		order = parameterMap.get(ORDER_TYPE)[0];
	}
	log.debug("排序规则>>列:"+column+",排序方式:"+order);
	if (oConvertUtils.isNotEmpty(column) && oConvertUtils.isNotEmpty(order)) {
		//字典字段,去掉字典翻译文本后缀
		if(column.endsWith(CommonConstant.DICT_TEXT_SUFFIX)) {
			column = column.substring(0, column.lastIndexOf(CommonConstant.DICT_TEXT_SUFFIX));
		}
		//SQL注入check
		SqlInjectionUtil.filterContent(column); 
		
		if (order.toUpperCase().indexOf(ORDER_TYPE_ASC)>=0) {
			queryWrapper.orderByAsc(oConvertUtils.camelToUnderline(column));
		} else {
			queryWrapper.orderByDesc(oConvertUtils.camelToUnderline(column));
		}
	}
}
 
Example 2
Source File: QueryGenerator.java    From jeecg-boot-with-activiti with MIT License 6 votes vote down vote up
public static void doMultiFieldsOrder(QueryWrapper<?> queryWrapper,Map<String, String[]> parameterMap) {
	String column=null,order=null;
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_COLUMN)) {
		column = parameterMap.get(ORDER_COLUMN)[0];
	}
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_TYPE)) {
		order = parameterMap.get(ORDER_TYPE)[0];
	}
	log.debug("排序规则>>列:"+column+",排序方式:"+order);
	if (oConvertUtils.isNotEmpty(column) && oConvertUtils.isNotEmpty(order)) {
		//字典字段,去掉字典翻译文本后缀
		if(column.endsWith(CommonConstant.DICT_TEXT_SUFFIX)) {
			column = column.substring(0, column.lastIndexOf(CommonConstant.DICT_TEXT_SUFFIX));
		}
		//SQL注入check
		SqlInjectionUtil.filterContent(column); 
		
		if (order.toUpperCase().indexOf(ORDER_TYPE_ASC)>=0) {
			queryWrapper.orderByAsc(oConvertUtils.camelToUnderline(column));
		} else {
			queryWrapper.orderByDesc(oConvertUtils.camelToUnderline(column));
		}
	}
}
 
Example 3
Source File: QueryGenerator.java    From teaching with Apache License 2.0 6 votes vote down vote up
public static void doMultiFieldsOrder(QueryWrapper<?> queryWrapper,Map<String, String[]> parameterMap) {
	String column=null,order=null;
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_COLUMN)) {
		column = parameterMap.get(ORDER_COLUMN)[0];
	}
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_TYPE)) {
		order = parameterMap.get(ORDER_TYPE)[0];
	}
	log.debug("排序规则>>列:"+column+",排序方式:"+order);
	if (oConvertUtils.isNotEmpty(column) && oConvertUtils.isNotEmpty(order)) {
		//字典字段,去掉字典翻译文本后缀
		if(column.endsWith(CommonConstant.DICT_TEXT_SUFFIX)) {
			column = column.substring(0, column.lastIndexOf(CommonConstant.DICT_TEXT_SUFFIX));
		}
		//SQL注入check
		SqlInjectionUtil.filterContent(column); 
		
		if (order.toUpperCase().indexOf(ORDER_TYPE_ASC)>=0) {
			queryWrapper.orderByAsc(oConvertUtils.camelToUnderline(column));
		} else {
			queryWrapper.orderByDesc(oConvertUtils.camelToUnderline(column));
		}
	}
}
 
Example 4
Source File: QueryGenerator.java    From jeecg-boot with Apache License 2.0 6 votes vote down vote up
public static void doMultiFieldsOrder(QueryWrapper<?> queryWrapper,Map<String, String[]> parameterMap) {
	String column=null,order=null;
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_COLUMN)) {
		column = parameterMap.get(ORDER_COLUMN)[0];
	}
	if(parameterMap!=null&& parameterMap.containsKey(ORDER_TYPE)) {
		order = parameterMap.get(ORDER_TYPE)[0];
	}
	log.debug("排序规则>>列:"+column+",排序方式:"+order);
	if (oConvertUtils.isNotEmpty(column) && oConvertUtils.isNotEmpty(order)) {
		//字典字段,去掉字典翻译文本后缀
		if(column.endsWith(CommonConstant.DICT_TEXT_SUFFIX)) {
			column = column.substring(0, column.lastIndexOf(CommonConstant.DICT_TEXT_SUFFIX));
		}
		//SQL注入check
		SqlInjectionUtil.filterContent(column); 
		
		if (order.toUpperCase().indexOf(ORDER_TYPE_ASC)>=0) {
			queryWrapper.orderByAsc(oConvertUtils.camelToUnderline(column));
		} else {
			queryWrapper.orderByDesc(oConvertUtils.camelToUnderline(column));
		}
	}
}
 
Example 5
Source File: SysDictController.java    From jeecg-cloud with Apache License 2.0 4 votes vote down vote up
/**
 * 获取字典数据
 * @param dictCode 字典code
 * @param dictCode 表名,文本字段,code字段  | 举例:sys_user,realname,id
 * @return
 */
@RequestMapping(value = "/getDictItems/{dictCode}", method = RequestMethod.GET)
public Result<List<DictModel>> getDictItems(@PathVariable String dictCode, @RequestParam(value = "sign",required = false) String sign,HttpServletRequest request) {
	log.info(" dictCode : "+ dictCode);
	Result<List<DictModel>> result = new Result<List<DictModel>>();
	List<DictModel> ls = null;
	try {
		if(dictCode.indexOf(",")!=-1) {
			//关联表字典(举例:sys_user,realname,id)
			String[] params = dictCode.split(",");
			
			if(params.length<3) {
				result.error500("字典Code格式不正确!");
				return result;
			}
			//SQL注入校验(只限制非法串改数据库)
			final String[] sqlInjCheck = {params[0],params[1],params[2]};
			SqlInjectionUtil.filterContent(sqlInjCheck);
			
			if(params.length==4) {
				//SQL注入校验(查询条件SQL 特殊check,此方法仅供此处使用)
				SqlInjectionUtil.specialFilterContent(params[3]);
				ls = sysDictService.queryTableDictItemsByCodeAndFilter(params[0],params[1],params[2],params[3]);
			}else if (params.length==3) {
				ls = sysDictService.queryTableDictItemsByCode(params[0],params[1],params[2]);
			}else{
				result.error500("字典Code格式不正确!");
				return result;
			}
		}else {
			//字典表
			 ls = sysDictService.queryDictItemsByCode(dictCode);
		}

		 result.setSuccess(true);
		 result.setResult(ls);
		 log.info(result.toString());
	} catch (Exception e) {
		log.error(e.getMessage(),e);
		result.error500("操作失败");
		return result;
	}

	return result;
}
 
Example 6
Source File: SysDictController.java    From jeecg-boot-with-activiti with MIT License 4 votes vote down vote up
/**
 * 获取字典数据
 * @param dictCode 字典code
 * @param dictCode 表名,文本字段,code字段  | 举例:sys_user,realname,id
 * @return
 */
@RequestMapping(value = "/getDictItems/{dictCode}", method = RequestMethod.GET)
public Result<List<DictModel>> getDictItems(@PathVariable String dictCode) {
	log.info(" dictCode : "+ dictCode);
	Result<List<DictModel>> result = new Result<List<DictModel>>();
	List<DictModel> ls = null;
	try {
		if(dictCode.indexOf(",")!=-1) {
			//关联表字典(举例:sys_user,realname,id)
			String[] params = dictCode.split(",");
			
			if(params.length<3) {
				result.error500("字典Code格式不正确!");
				return result;
			}
			//SQL注入校验(只限制非法串改数据库)
			final String[] sqlInjCheck = {params[0],params[1],params[2]};
			SqlInjectionUtil.filterContent(sqlInjCheck);
			
			if(params.length==4) {
				//SQL注入校验(查询条件SQL 特殊check,此方法仅供此处使用)
				SqlInjectionUtil.specialFilterContent(params[3]);
				ls = sysDictService.queryTableDictItemsByCodeAndFilter(params[0],params[1],params[2],params[3]);
			}else if (params.length==3) {
				ls = sysDictService.queryTableDictItemsByCode(params[0],params[1],params[2]);
			}else{
				result.error500("字典Code格式不正确!");
				return result;
			}
		}else {
			//字典表
			 ls = sysDictService.queryDictItemsByCode(dictCode);
		}

		 result.setSuccess(true);
		 result.setResult(ls);
		 log.info(result.toString());
	} catch (Exception e) {
		log.error(e.getMessage(),e);
		result.error500("操作失败");
		return result;
	}

	return result;
}
 
Example 7
Source File: SysDictController.java    From teaching with Apache License 2.0 4 votes vote down vote up
/**
 * 获取字典数据
 * @param dictCode 字典code
 * @param dictCode 表名,文本字段,code字段  | 举例:sys_user,realname,id
 * @return
 */
@RequestMapping(value = "/getDictItems/{dictCode}", method = RequestMethod.GET)
public Result<List<DictModel>> getDictItems(@PathVariable String dictCode) {
	log.info(" dictCode : "+ dictCode);
	Result<List<DictModel>> result = new Result<List<DictModel>>();
	List<DictModel> ls = null;
	try {
		if(dictCode.indexOf(",")!=-1) {
			//关联表字典(举例:sys_user,realname,id)
			String[] params = dictCode.split(",");
			
			if(params.length<3) {
				result.error500("字典Code格式不正确!");
				return result;
			}
			//SQL注入校验(只限制非法串改数据库)
			final String[] sqlInjCheck = {params[0],params[1],params[2]};
			SqlInjectionUtil.filterContent(sqlInjCheck);
			
			if(params.length==4) {
				//SQL注入校验(查询条件SQL 特殊check,此方法仅供此处使用)
				SqlInjectionUtil.specialFilterContent(params[3]);
				ls = sysDictService.queryTableDictItemsByCodeAndFilter(params[0],params[1],params[2],params[3]);
			}else if (params.length==3) {
				ls = sysDictService.queryTableDictItemsByCode(params[0],params[1],params[2]);
			}else{
				result.error500("字典Code格式不正确!");
				return result;
			}
		}else {
			//字典表
			 ls = sysDictService.queryDictItemsByCode(dictCode);
		}

		 result.setSuccess(true);
		 result.setResult(ls);
		 log.info(result.toString());
	} catch (Exception e) {
		log.error(e.getMessage(),e);
		result.error500("操作失败");
		return result;
	}

	return result;
}
 
Example 8
Source File: SysDictController.java    From jeecg-boot with Apache License 2.0 4 votes vote down vote up
/**
 * 获取字典数据
 * @param dictCode 字典code
 * @param dictCode 表名,文本字段,code字段  | 举例:sys_user,realname,id
 * @return
 */
@RequestMapping(value = "/getDictItems/{dictCode}", method = RequestMethod.GET)
public Result<List<DictModel>> getDictItems(@PathVariable String dictCode, @RequestParam(value = "sign",required = false) String sign,HttpServletRequest request) {
	log.info(" dictCode : "+ dictCode);
	Result<List<DictModel>> result = new Result<List<DictModel>>();
	List<DictModel> ls = null;
	try {
		if(dictCode.indexOf(",")!=-1) {
			//关联表字典(举例:sys_user,realname,id)
			String[] params = dictCode.split(",");
			
			if(params.length<3) {
				result.error500("字典Code格式不正确!");
				return result;
			}
			//SQL注入校验(只限制非法串改数据库)
			final String[] sqlInjCheck = {params[0],params[1],params[2]};
			SqlInjectionUtil.filterContent(sqlInjCheck);
			
			if(params.length==4) {
				//SQL注入校验(查询条件SQL 特殊check,此方法仅供此处使用)
				SqlInjectionUtil.specialFilterContent(params[3]);
				ls = sysDictService.queryTableDictItemsByCodeAndFilter(params[0],params[1],params[2],params[3]);
			}else if (params.length==3) {
				ls = sysDictService.queryTableDictItemsByCode(params[0],params[1],params[2]);
			}else{
				result.error500("字典Code格式不正确!");
				return result;
			}
		}else {
			//字典表
			 ls = sysDictService.queryDictItemsByCode(dictCode);
		}

		 result.setSuccess(true);
		 result.setResult(ls);
		 log.info(result.toString());
	} catch (Exception e) {
		log.error(e.getMessage(),e);
		result.error500("操作失败");
		return result;
	}

	return result;
}