潘钊 / bsth_control · Commits

Commit 09464c44dda5f6dd8414bcf5ac81f788c3db4a9e

Authored by 娄高锋
1 parent 867b90c5
build: skipped

改掉sql拼接(sql注入漏洞)。 

# Conflicts:
#	src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
Inline Side-by-side
Showing 1 changed file with 95 additions and 41 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @09464c4
... ... @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47  
48 48 try {
49   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'";
  49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52  
51   - if(line.length() != 0)
52   - sql += " and xl_bm = '"+line+"'";
53   - if(company.length() != 0)
54   - sql += " and gs_bm = '"+company+"'";
55   - if(subCompany.length() != 0)
56   - sql += " and fgs_bm = '"+subCompany+"'";
  53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65  
58 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67  
60 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 70 new RowMapper<ScheduleRealInfo>(){
62 71 @Override
63 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 202 }
194 203  
195 204 try {
196   -
197   - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'";
  205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 209 if(line.length() != 0){
199   - sql += " and xl_bm = '"+line+"'";
  210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 220 }
201   - if(company.length() != 0)
202   - sql += " and gs_bm = '"+company+"'";
203   - if(subCompany.length() != 0)
204   - sql += " and fgs_bm = '"+subCompany+"'";
205 221  
206 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 224 new RowMapper<SchedulePlanInfo>(){
208 225 @Override
209 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
609 626 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
610 627 }
611 628 try {
612   -
  629 + List<String> objList = new ArrayList<String>();
613 630 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
614 631 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
615   - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate
616   - +"' and schedule_date_str <= '"+endDate+"'";
  632 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  633 + +" and schedule_date_str <= ?";
  634 + objList.add(startDate);
  635 + objList.add(endDate);
  636 +
617 637 if(line.length() != 0){
618   - sql += " and xl_bm = '"+line+"'";
  638 + sql += " and xl_bm = ?";
  639 + objList.add(line);
619 640 }
620 641 if(company.length() != 0){
621   - sql += " and gs_bm = '"+company+"'";
  642 + sql += " and gs_bm = ?";
  643 + objList.add(company);
622 644 }
623 645 if(subCompany.length() != 0){
624   - sql += " and fgs_bm = '"+subCompany+"'";
  646 + sql += " and fgs_bm = ?";
  647 + objList.add(subCompany);
625 648 }
626 649 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
627 650 if(Integer.valueOf(bcType) == 1){
... ... @@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
630 653 sql += " and bc_type = 'region'";
631 654 }
632 655 list = jdbcTemplate.query(sql,
  656 + objList.toArray(),
633 657 new RowMapper<ScheduleRealInfo>(){
634 658 @Override
635 659 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
923 947 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
924 948 }
925 949 try {
926   -
927   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'";
  950 + List<String> objList = new ArrayList<String>();
  951 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  952 + objList.add(startDate);
  953 + objList.add(endDate);
  954 +
928 955 if(line.length() != 0){
929   - sql += " and xl_bm = '"+line+"'";
  956 + sql += " and xl_bm = ?";
  957 + objList.add(line);
930 958 }
931 959 if(nbbm.length() != 0){
932   - sql += " and cl_zbh like '%"+nbbm+"%'";
  960 + sql += " and cl_zbh like ?";
  961 + objList.add("%" + nbbm + "%");
933 962 }
934 963 if(company.length() != 0){
935   - sql += " and gs_bm like '"+company+"'";
  964 + sql += " and gs_bm = ?";
  965 + objList.add(company);
936 966 }
937 967 if(subCompany.length() != 0){
938   - sql += " and fgs_bm like '"+subCompany+"'";
  968 + sql += " and fgs_bm = ?";
  969 + objList.add(subCompany);
939 970 }
940 971 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
941 972 if(bcType.trim().equals("1")){
... ... @@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
945 976 }
946 977  
947 978 list = jdbcTemplate.query(sql,
  979 + objList.toArray(),
948 980 new RowMapper<ScheduleRealInfo>(){
949 981 @Override
950 982 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1214 1246 isCancel = map.get("isCancel").toString().trim();
1215 1247 }
1216 1248 try {
  1249 + List<String> objList = new ArrayList<String>();
1217 1250 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1218 1251 " (select tt_info from bsth_c_s_sp_info where 1=1";
1219   - if(startDate.trim().length() > 0)
1220   - sql += " and schedule_date >= '"+startDate+"'";
1221   - if(endDate.trim().length() > 0)
1222   - sql += " and schedule_date <= '"+endDate+"'";
  1252 +
  1253 + if(startDate.trim().length() > 0){
  1254 + sql += " and schedule_date >= ?";
  1255 + objList.add(startDate);
  1256 + }
  1257 + if(endDate.trim().length() > 0){
  1258 + sql += " and schedule_date <= ?";
  1259 + objList.add(endDate);
  1260 + }
1223 1261 if(line.trim().length() != 0){
1224   - sql += " and xl_bm = '"+line+"'";
  1262 + sql += " and xl_bm = ?";
  1263 + objList.add(line);
1225 1264 } else {
1226 1265 return resList;
1227 1266 }
1228 1267 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1229 1268  
1230 1269 resList = jdbcTemplate.query(sql,
  1270 + objList.toArray(),
1231 1271 new RowMapper<Map<String, Object>>(){
1232 1272 @Override
1233 1273 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2178,24 +2218,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2178 2218 // String code = map.get("code").toString();
2179 2219 String type = map.get("type").toString();
2180 2220  
  2221 + List<String> objList = new ArrayList<String>();
2181 2222 String sql_="select * from bsth_c_s_sp_info_real "
2182   - + " WHERE schedule_date_str = '"+date+"' ";
  2223 + + " WHERE schedule_date_str = ? ";
  2224 + objList.add(date);
  2225 +
2183 2226 if(!line.equals("")){
2184   - sql_ += " and xl_bm = '"+line+"'";
  2227 + sql_ += " and xl_bm = ?";
  2228 + objList.add(line);
2185 2229 }
2186 2230 if(company.length() != 0){
2187   - sql_ += " and gs_bm='"+company+"'";
  2231 + sql_ += " and gs_bm = ?";
  2232 + objList.add(company);
2188 2233 }
2189 2234 if(subCompany.length() != 0){
2190   - sql_ += " and fgs_bm='"+subCompany+"'";
  2235 + sql_ += " and fgs_bm = ?";
  2236 + objList.add(subCompany);
2191 2237 }
2192 2238  
2193   -
2194 2239 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2195 2240 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2196 2241 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2197 2242  
2198 2243 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2244 + objList.toArray(),
2199 2245 new RowMapper<Map<String, Object>>(){
2200 2246 @Override
2201 2247 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2400,14 +2446,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2400 2446 // String code = map.get("code").toString();
2401 2447 String type = map.get("type").toString();
2402 2448  
  2449 + List<String> objList = new ArrayList<String>();
2403 2450 String sql_="select * from bsth_c_s_sp_info_real "
2404   - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'";
  2451 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2452 + objList.add(date);
  2453 + objList.add(line);
2405 2454  
2406 2455 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2407 2456 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2408 2457 + " order by r.xl_name,r.id ";
2409 2458  
2410 2459 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2460 + objList.toArray(),
2411 2461 new RowMapper<Map<String, Object>>(){
2412 2462 @Override
2413 2463 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2605,14 +2655,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2605 2655 if(map.get("type")!=null)
2606 2656 type = map.get("type").toString().trim();
2607 2657  
2608   - String sql_="select * from bsth_c_s_sp_info_real "
2609   - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'";
  2658 + List<String> objList = new ArrayList<String>();
  2659 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2660 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2661 + objList.add(date);
  2662 + objList.add(jgh);
2610 2663  
2611 2664 if(!line.equals("")){
2612   - sql_ +=" and xl_bm = '"+line+"'";
  2665 + sql_ +=" and xl_bm = ?";
  2666 + objList.add(line);
2613 2667 }
2614 2668  
2615   -
2616 2669 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2617 2670 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2618 2671 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
... ... @@ -2621,6 +2674,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2621 2674  
2622 2675  
2623 2676 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2677 + objList.toArray(),
2624 2678 new RowMapper<Map<String, Object>>(){
2625 2679 @Override
2626 2680 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ...