37 lines
1.2 KiB
Java
37 lines
1.2 KiB
Java
|
package com.dite.znpt.util;
|
||
|
|
|
||
|
|
import cn.hutool.core.exceptions.UtilException;
|
||
|
|
import org.apache.commons.lang3.StringUtils;
|
||
|
|
|
||
|
|
public class SqlUtil {
|
||
|
|
public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
|
||
|
|
public static String SQL_PATTERN = "[a-zA-Z0-9_ ,.]+";
|
||
|
|
|
||
|
|
public static String escapeOrderBySql(String value) {
|
||
|
|
if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value)) {
|
||
|
|
throw new UtilException("参数不符合规范,不能进行查询");
|
||
|
|
} else {
|
||
|
|
return value;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
public static boolean isValidOrderBySql(String value) {
|
||
|
|
return value.matches(SQL_PATTERN);
|
||
|
|
}
|
||
|
|
|
||
|
|
public static void filterKeyword(String value) {
|
||
|
|
if (!StringUtils.isEmpty(value)) {
|
||
|
|
String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
|
||
|
|
int var3 = sqlKeywords.length;
|
||
|
|
|
||
|
|
for(int var4 = 0; var4 < var3; ++var4) {
|
||
|
|
String sqlKeyword = sqlKeywords[var4];
|
||
|
|
if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1) {
|
||
|
|
throw new UtilException("参数存在SQL注入风险");
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|