潘钊 / bsth_control · Commits

Commit 09464c44dda5f6dd8414bcf5ac81f788c3db4a9e

Authored by 娄高锋
1 parent 867b90c5
build: skipped

改掉sql拼接(sql注入漏洞)。 

# Conflicts:
#	src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
Inline Side-by-side
Showing 1 changed file with 95 additions and 41 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @09464c4
@@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>(); 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47
48 try { 48 try {
49 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'"; 49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52
51 - if(line.length() != 0)  
52 - sql += " and xl_bm = '"+line+"'";  
53 - if(company.length() != 0)  
54 - sql += " and gs_bm = '"+company+"'";  
55 - if(subCompany.length() != 0)  
56 - sql += " and fgs_bm = '"+subCompany+"'"; 53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65
58 sql += " order by gs_bm, fgs_bm, xl_bm"; 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67
60 list = jdbcTemplate.query(sql, 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 new RowMapper<ScheduleRealInfo>(){ 70 new RowMapper<ScheduleRealInfo>(){
62 @Override 71 @Override
63 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 } 202 }
194 203
195 try { 204 try {
196 -  
197 - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'"; 205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 if(line.length() != 0){ 209 if(line.length() != 0){
199 - sql += " and xl_bm = '"+line+"'"; 210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 } 220 }
201 - if(company.length() != 0)  
202 - sql += " and gs_bm = '"+company+"'";  
203 - if(subCompany.length() != 0)  
204 - sql += " and fgs_bm = '"+subCompany+"'";  
205 221
206 list = jdbcTemplate.query(sql, 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 new RowMapper<SchedulePlanInfo>(){ 224 new RowMapper<SchedulePlanInfo>(){
208 @Override 225 @Override
209 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
609 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 626 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
610 } 627 }
611 try { 628 try {
612 - 629 + List<String> objList = new ArrayList<String>();
613 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs," 630 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
614 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service" 631 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
615 - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate  
616 - +"' and schedule_date_str <= '"+endDate+"'"; 632 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  633 + +" and schedule_date_str <= ?";
  634 + objList.add(startDate);
  635 + objList.add(endDate);
  636 +
617 if(line.length() != 0){ 637 if(line.length() != 0){
618 - sql += " and xl_bm = '"+line+"'"; 638 + sql += " and xl_bm = ?";
  639 + objList.add(line);
619 } 640 }
620 if(company.length() != 0){ 641 if(company.length() != 0){
621 - sql += " and gs_bm = '"+company+"'"; 642 + sql += " and gs_bm = ?";
  643 + objList.add(company);
622 } 644 }
623 if(subCompany.length() != 0){ 645 if(subCompany.length() != 0){
624 - sql += " and fgs_bm = '"+subCompany+"'"; 646 + sql += " and fgs_bm = ?";
  647 + objList.add(subCompany);
625 } 648 }
626 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 649 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
627 if(Integer.valueOf(bcType) == 1){ 650 if(Integer.valueOf(bcType) == 1){
@@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
630 sql += " and bc_type = 'region'"; 653 sql += " and bc_type = 'region'";
631 } 654 }
632 list = jdbcTemplate.query(sql, 655 list = jdbcTemplate.query(sql,
  656 + objList.toArray(),
633 new RowMapper<ScheduleRealInfo>(){ 657 new RowMapper<ScheduleRealInfo>(){
634 @Override 658 @Override
635 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 659 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
923 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 947 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
924 } 948 }
925 try { 949 try {
926 -  
927 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'"; 950 + List<String> objList = new ArrayList<String>();
  951 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  952 + objList.add(startDate);
  953 + objList.add(endDate);
  954 +
928 if(line.length() != 0){ 955 if(line.length() != 0){
929 - sql += " and xl_bm = '"+line+"'"; 956 + sql += " and xl_bm = ?";
  957 + objList.add(line);
930 } 958 }
931 if(nbbm.length() != 0){ 959 if(nbbm.length() != 0){
932 - sql += " and cl_zbh like '%"+nbbm+"%'"; 960 + sql += " and cl_zbh like ?";
  961 + objList.add("%" + nbbm + "%");
933 } 962 }
934 if(company.length() != 0){ 963 if(company.length() != 0){
935 - sql += " and gs_bm like '"+company+"'"; 964 + sql += " and gs_bm = ?";
  965 + objList.add(company);
936 } 966 }
937 if(subCompany.length() != 0){ 967 if(subCompany.length() != 0){
938 - sql += " and fgs_bm like '"+subCompany+"'"; 968 + sql += " and fgs_bm = ?";
  969 + objList.add(subCompany);
939 } 970 }
940 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 971 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
941 if(bcType.trim().equals("1")){ 972 if(bcType.trim().equals("1")){
@@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
945 } 976 }
946 977
947 list = jdbcTemplate.query(sql, 978 list = jdbcTemplate.query(sql,
  979 + objList.toArray(),
948 new RowMapper<ScheduleRealInfo>(){ 980 new RowMapper<ScheduleRealInfo>(){
949 @Override 981 @Override
950 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 982 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1214 isCancel = map.get("isCancel").toString().trim(); 1246 isCancel = map.get("isCancel").toString().trim();
1215 } 1247 }
1216 try { 1248 try {
  1249 + List<String> objList = new ArrayList<String>();
1217 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" + 1250 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1218 " (select tt_info from bsth_c_s_sp_info where 1=1"; 1251 " (select tt_info from bsth_c_s_sp_info where 1=1";
1219 - if(startDate.trim().length() > 0)  
1220 - sql += " and schedule_date >= '"+startDate+"'";  
1221 - if(endDate.trim().length() > 0)  
1222 - sql += " and schedule_date <= '"+endDate+"'"; 1252 +
  1253 + if(startDate.trim().length() > 0){
  1254 + sql += " and schedule_date >= ?";
  1255 + objList.add(startDate);
  1256 + }
  1257 + if(endDate.trim().length() > 0){
  1258 + sql += " and schedule_date <= ?";
  1259 + objList.add(endDate);
  1260 + }
1223 if(line.trim().length() != 0){ 1261 if(line.trim().length() != 0){
1224 - sql += " and xl_bm = '"+line+"'"; 1262 + sql += " and xl_bm = ?";
  1263 + objList.add(line);
1225 } else { 1264 } else {
1226 return resList; 1265 return resList;
1227 } 1266 }
1228 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name"; 1267 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1229 1268
1230 resList = jdbcTemplate.query(sql, 1269 resList = jdbcTemplate.query(sql,
  1270 + objList.toArray(),
1231 new RowMapper<Map<String, Object>>(){ 1271 new RowMapper<Map<String, Object>>(){
1232 @Override 1272 @Override
1233 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 1273 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2178,24 +2218,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2178,24 +2218,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2178 // String code = map.get("code").toString(); 2218 // String code = map.get("code").toString();
2179 String type = map.get("type").toString(); 2219 String type = map.get("type").toString();
2180 2220
  2221 + List<String> objList = new ArrayList<String>();
2181 String sql_="select * from bsth_c_s_sp_info_real " 2222 String sql_="select * from bsth_c_s_sp_info_real "
2182 - + " WHERE schedule_date_str = '"+date+"' "; 2223 + + " WHERE schedule_date_str = ? ";
  2224 + objList.add(date);
  2225 +
2183 if(!line.equals("")){ 2226 if(!line.equals("")){
2184 - sql_ += " and xl_bm = '"+line+"'"; 2227 + sql_ += " and xl_bm = ?";
  2228 + objList.add(line);
2185 } 2229 }
2186 if(company.length() != 0){ 2230 if(company.length() != 0){
2187 - sql_ += " and gs_bm='"+company+"'"; 2231 + sql_ += " and gs_bm = ?";
  2232 + objList.add(company);
2188 } 2233 }
2189 if(subCompany.length() != 0){ 2234 if(subCompany.length() != 0){
2190 - sql_ += " and fgs_bm='"+subCompany+"'"; 2235 + sql_ += " and fgs_bm = ?";
  2236 + objList.add(subCompany);
2191 } 2237 }
2192 2238
2193 -  
2194 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2239 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2195 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r" 2240 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2196 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id "; 2241 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2197 2242
2198 List<Map<String, Object>> tempList = jdbcTemplate.query(sql, 2243 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2244 + objList.toArray(),
2199 new RowMapper<Map<String, Object>>(){ 2245 new RowMapper<Map<String, Object>>(){
2200 @Override 2246 @Override
2201 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2247 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2400,14 +2446,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2400,14 +2446,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2400 // String code = map.get("code").toString(); 2446 // String code = map.get("code").toString();
2401 String type = map.get("type").toString(); 2447 String type = map.get("type").toString();
2402 2448
  2449 + List<String> objList = new ArrayList<String>();
2403 String sql_="select * from bsth_c_s_sp_info_real " 2450 String sql_="select * from bsth_c_s_sp_info_real "
2404 - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'"; 2451 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2452 + objList.add(date);
  2453 + objList.add(line);
2405 2454
2406 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2455 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2407 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r" 2456 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2408 + " order by r.xl_name,r.id "; 2457 + " order by r.xl_name,r.id ";
2409 2458
2410 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2459 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2460 + objList.toArray(),
2411 new RowMapper<Map<String, Object>>(){ 2461 new RowMapper<Map<String, Object>>(){
2412 @Override 2462 @Override
2413 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2463 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2605,14 +2655,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2605,14 +2655,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2605 if(map.get("type")!=null) 2655 if(map.get("type")!=null)
2606 type = map.get("type").toString().trim(); 2656 type = map.get("type").toString().trim();
2607 2657
2608 - String sql_="select * from bsth_c_s_sp_info_real "  
2609 - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'"; 2658 + List<String> objList = new ArrayList<String>();
  2659 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2660 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2661 + objList.add(date);
  2662 + objList.add(jgh);
2610 2663
2611 if(!line.equals("")){ 2664 if(!line.equals("")){
2612 - sql_ +=" and xl_bm = '"+line+"'"; 2665 + sql_ +=" and xl_bm = ?";
  2666 + objList.add(line);
2613 } 2667 }
2614 2668
2615 -  
2616 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name," 2669 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2617 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time," 2670 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2618 + " r.gs_name,r.fgs_name FROM ("+sql_+") " 2671 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
@@ -2621,6 +2674,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2621,6 +2674,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2621 2674
2622 2675
2623 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2676 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2677 + objList.toArray(),
2624 new RowMapper<Map<String, Object>>(){ 2678 new RowMapper<Map<String, Object>>(){
2625 @Override 2679 @Override
2626 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2680 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {