查询时，防止sql注入

CodingLog.txt

@@ -20,4 +20,5 @@
 --------------------2018年04月23日-----------------------
 1、加入sign 鉴权处理
 2、请求报文和返回报文加密处理
-3、加入java脚本代码处理
+3、加入java脚本代码处理
+4、sql配置到表里情况下解决sql注入问题

java110-common/src/main/java/com/java110/common/util/CommonUtil.java

@@ -59,4 +59,22 @@ public class CommonUtil extends LoggerEngine {
 
         return result;
     }
+
+
+    //效验
+    public static boolean sqlValidate(String str) {
+        str = str.toLowerCase();//统一转为小写
+        String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" +
+                "char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|" +
+                "table|from|grant|use|group_concat|column_name|" +
+                "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" +
+                "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";//过滤掉的sql关键字，可以手动添加
+        String[] badStrs = badStr.split("\\|");
+        for (int i = 0; i < badStrs.length; i++) {
+            if (str.indexOf(badStrs[i]) >= 0) {
+                return true;
+            }
+        }
+        return false;
+    }
 }

java110-service/src/main/java/com/java110/service/dao/IQueryServiceDAO.java

@@ -16,9 +16,9 @@ public interface IQueryServiceDAO {
      * @param sql
      * @return
      */
-    public List<Map> executeSql(String sql);
+    public List<Map<String,Object>> executeSql(String sql,Object []params);
 
-    public int updateSql(String sql);
+    public int updateSql(String sql,Object[] params);
 
     /**
      * 执行存储过程

java110-service/src/main/java/com/java110/service/dao/impl/QueryServiceDAOImpl.java

@@ -7,9 +7,8 @@ import com.java110.service.dao.IQueryServiceDAO;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import java.util.List;
-import java.util.Map;
-import java.util.TreeMap;
+import java.sql.*;
+import java.util.*;
 
 /**
  * Created by wuxw on 2018/4/20.
@@ -17,14 +16,91 @@ import java.util.TreeMap;
 @Service("queryServiceDAOImpl")
 @Transactional
 public class QueryServiceDAOImpl extends BaseServiceDao implements IQueryServiceDAO {
+
+    /**
+     *  防止sql注入 改造成直接用prepareStatement 预处理sql
+     * @param sql
+     * @param params
+     * @return
+     */
     @Override
-    public List<Map> executeSql(String sql) {
-        logger.debug("----【queryServiceDAOImpl.executeSql】入参 : "+sql);
-        return sqlSessionTemplate.selectList("queryServiceDAOImpl.executeSql",sql);
+    public List<Map<String,Object>> executeSql(String sql,Object[] params) {
+        logger.debug("----【queryServiceDAOImpl.executeSql】入参 : "+sql+" params= "+params);
+        Connection conn = null;
+        ResultSet rs = null;
+        PreparedStatement ps = null;
+        List<Map<String,Object>> mapList = new ArrayList<Map<String,Object>>();
+        try {
+            conn = sqlSessionTemplate.getConnection();
+            ps = conn.prepareStatement(sql);
+            if(params != null){
+                for(int i = 0 ; i < params.length ; i++){
+                    ps.setObject(i+1, params[i]);
+                }
+            }
+            rs = ps.executeQuery();
+            //精髓的地方就在这里，类ResultSet有getMetaData()会返回数据的列和对应的值的信息，然后我们将列名和对应的值作为map的键值存入map对象之中...
+            ResultSetMetaData rsmd = rs.getMetaData();
+            while(rs.next()){
+                Map<String,Object> map = new HashMap<String,Object>();
+                for(int i = 0 ; i < rsmd.getColumnCount() ; i++){
+                    String col_name = rsmd.getColumnName(i+1);
+                    Object col_value = rs.getObject(col_name);
+                    if(col_value == null){
+                        col_value = "";
+                    }
+                    map.put(col_name, col_value);
+                }
+                mapList.add(map);
+            }
+            return mapList;
+        } catch (SQLException e) {
+            logger.error("执行sql异常：" + sql +params,e);
+            return null;
+        }finally{
+            try {
+                //conn.close();
+                ps.close();
+                rs.close();
+            } catch (SQLException e) {
+                e.printStackTrace();
+            }
+        }
+        //return sqlSessionTemplate.selectList("queryServiceDAOImpl.executeSql",sql);
     }
 
-    public int updateSql(String sql){
-        return sqlSessionTemplate.update("queryServiceDAOImpl.updateSql",sql);
+    /**
+     * 防止sql注入 改造成直接用prepareStatement 预处理sql
+     * @param sql
+     * @param params
+     * @return
+     */
+    public int updateSql(String sql,Object[] params){
+        logger.debug("----【queryServiceDAOImpl.updateSql】入参 : "+sql+" params= "+params);
+        Connection conn = null;
+        PreparedStatement ps = null;
+        try {
+            conn = sqlSessionTemplate.getConnection();
+            ps = conn.prepareStatement(sql);
+            if(params != null){
+                for(int i = 0 ; i < params.length ; i++){
+                    ps.setObject(i+1, params[i]);
+                }
+            }
+            return ps.executeUpdate();
+            //精髓的地方就在这里，类ResultSet有getMetaData()会返回数据的列和对应的值的信息，然后我们将列名和对应的值作为map的键值存入map对象之中...
+        } catch (SQLException e) {
+            logger.error("执行sql异常：" + sql +params,e);
+            return 0;
+        }finally{
+            try {
+                //conn.close();
+                ps.close();
+            } catch (SQLException e) {
+                e.printStackTrace();
+            }
+        }
+        //return sqlSessionTemplate.update("queryServiceDAOImpl.updateSql",sql);
     }
 
     @Override

java110-service/src/main/java/com/java110/service/smo/impl/QueryServiceSMOImpl.java

@@ -19,10 +19,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.TreeMap;
+import java.util.*;
 
 /**
  * Created by wuxw on 2018/4/19.
@@ -104,7 +101,7 @@ public class QueryServiceSMOImpl extends LoggerEngine implements IQueryServiceSM
         try {
             JSONObject params = dataQuery.getRequestParams();
             JSONObject sqlObj = JSONObject.parseObject(dataQuery.getServiceSql().getSql());
-
+            List<Object> currentParams = new ArrayList<Object>();
             String currentSql = "";
             for(String key : sqlObj.keySet()) {
                 currentSql = sqlObj.getString(key);
@@ -115,13 +112,15 @@ public class QueryServiceSMOImpl extends LoggerEngine implements IQueryServiceSM
                         currentSqlNew += sqls[sqlIndex];
                         continue;
                     }
-                    currentSqlNew += params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'";
+                    currentSqlNew += "?";
+                    currentParams.add(params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'");
+                    //currentSqlNew += params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'";
                 }
 
-                int flag = queryServiceDAOImpl.updateSql(currentSqlNew);
+                int flag = queryServiceDAOImpl.updateSql(currentSqlNew,currentParams.toArray());
 
                 if (flag < 1) {
-                    throw new BusinessException(ResponseConstant.RESULT_PARAM_ERROR, "调用接口失败");
+                    throw new BusinessException(ResponseConstant.RESULT_PARAM_ERROR, "数据交互失败");
                 }
             }
 
@@ -215,6 +214,7 @@ public class QueryServiceSMOImpl extends LoggerEngine implements IQueryServiceSM
         try {
             JSONObject params = dataQuery.getRequestParams();
             JSONObject sqlObj = JSONObject.parseObject(dataQuery.getServiceSql().getSql());
+            List<Object> currentParams = new ArrayList<Object>();
 
             String currentSql = sqlObj.getString(dataQuery.getTemplateKey());
             String[] sqls = currentSql.split("#");
@@ -227,17 +227,22 @@ public class QueryServiceSMOImpl extends LoggerEngine implements IQueryServiceSM
                 if (sqls[sqlIndex].startsWith("PARENT_")) {
                     for (String key : obj.keySet()) {
                         if (sqls[sqlIndex].substring("PARENT_".length()).equals(key)) {
-                            currentSqlNew += obj.get(key) instanceof Integer
-                                    ? obj.getInteger(key) : "'" + obj.getString(key) + "'";
+                            /*currentSqlNew += obj.get(key) instanceof Integer
+                                    ? obj.getInteger(key) : "'" + obj.getString(key) + "'";*/
+                            currentSqlNew += "?";
+                            currentParams.add(obj.get(key) instanceof Integer
+                                    ? obj.getInteger(key) : "'" + obj.getString(key) + "'");
                             continue;
                         }
                     }
                 } else {
-                    currentSqlNew += params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'";
+                    currentSqlNew += "?";
+                    currentParams.add(params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'");
+                    //currentSqlNew += params.get(sqls[sqlIndex]) instanceof Integer ? params.getInteger(sqls[sqlIndex]) : "'" + params.getString(sqls[sqlIndex]) + "'";
                 }
             }
 
-            List<Map> results = queryServiceDAOImpl.executeSql(currentSqlNew);
+            List<Map<String,Object>> results = queryServiceDAOImpl.executeSql(currentSqlNew, currentParams.toArray());
 
             if (results == null || results.size() == 0) {
                 obj.put(values[1], new JSONObject());