tool/lxutils
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: 修复order by和limit、page的sql注入风险

Browse Source
This commit is contained in:
wangjie 2025-08-22 17:58:34 +08:00
parent fa6333910b
commit cfeb85c4ac
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lxDb/sql.go
View File

@ -207,10 +207,6 @@ func Query(tx *gorm.DB, m interface{}, list interface{}, q *PaginationQuery) (er
//} //}
func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) { func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) {
// 验证输入参数的安全性
if !isSafeSQL(sql) {
return errors.New("检测到潜在的SQL注入风险")
}
var builder strings.Builder var builder strings.Builder
builder.WriteString(sql) builder.WriteString(sql)
@ -293,6 +289,10 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
// 安全地处理排序 - 使用白名单验证字段名 // 安全地处理排序 - 使用白名单验证字段名
if q.OrderBy != "" { if q.OrderBy != "" {
// 验证输入参数的安全性
if !isSafeSQL(sql) {
return errors.New("检测到潜在的SQL注入风险")
}
safeOrderBy := sanitizeOrderBy(q.OrderBy) safeOrderBy := sanitizeOrderBy(q.OrderBy)
if safeOrderBy != "" { if safeOrderBy != "" {
builder.WriteString(" ORDER BY ") builder.WriteString(" ORDER BY ")
@ -322,10 +322,6 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
} }
func SqlQueryNew(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) { func SqlQueryNew(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) {
// 验证输入参数的安全性
if !isSafeSQL(sql) {
return errors.New("检测到潜在的SQL注入风险")
}
var builder strings.Builder var builder strings.Builder
builder.WriteString(sql) builder.WriteString(sql)
@ -407,6 +403,10 @@ func SqlQueryNew(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery,
// 安全地处理排序 - 使用白名单验证字段名 // 安全地处理排序 - 使用白名单验证字段名
if q.OrderBy != "" { if q.OrderBy != "" {
// 验证输入参数的安全性
if !isSafeSQL(sql) {
return errors.New("检测到潜在的SQL注入风险")
}
safeOrderBy := sanitizeOrderBy(q.OrderBy) safeOrderBy := sanitizeOrderBy(q.OrderBy)
if safeOrderBy != "" { if safeOrderBy != "" {
builder.WriteString(" ORDER BY ") builder.WriteString(" ORDER BY ")