改掉sql拼接（sql注入漏洞）。

娄高锋
1 parent 275b243c
Showing 1 changed file with 72 additions and 29 deletions
src/main/java/com/bsth/service/impl/BusIntervalServiceImpl.java
@@ -100,9 +100,14 @@ public class BusIntervalServiceImpl implements BusIntervalService {
  
 		try {
  
-			String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'";
+			List<String> objList = new ArrayList<String>();
+			String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
+			objList.add(startDate);
+			objList.add(endDate);
+			
 			if(line.length() != 0){
-				sql += " and xl_bm = '"+line+"'";
+				sql += " and xl_bm = ?";
+				objList.add(line);
 			}
 			if(times.length() != 0){
 				String[] split = times.split("-");
@@ -117,16 +122,19 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 				}
 			}
 			if(company.length() != 0){
-				sql += " and gs_bm = '"+company+"'";
+				sql += " and gs_bm = ?";
+				objList.add(company);
 			}
 			if(subCompany.length() != 0){
-				sql += " and fgs_bm = '"+subCompany+"'";
+				sql += " and fgs_bm = ?";
+				objList.add(subCompany);
 			}
 			if(normal){
 				sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
 			}
  
 			list = jdbcTemplate.query(sql,
+					objList.toArray(),
 					new RowMapper<ScheduleRealInfo>(){
 				@Override
 				public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -222,14 +230,20 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 			});
  
 			if(model.length() != 0){
-//				sql = "select * from bsth_c_s_ttinfo_detail where ttinfo = '"+model+"' and bc_type != 'in' and bc_type != 'out'";
-				sql = "select id from bsth_c_s_sp_info where tt_info = '" + model + "' and bc_type != 'in' and bc_type != 'out'" +
-						" and bc_type != 'ldks' and schedule_date >= '"+startDate+"' and schedule_date <= '"+endDate+"'";
+				List<String> objList2 = new ArrayList<String>();
+				sql = "select id from bsth_c_s_sp_info where tt_info = ? and bc_type != 'in' and bc_type != 'out'" +
+						" and bc_type != 'ldks' and schedule_date >= ? and schedule_date <= ?";
+				objList2.add(model);
+				objList2.add(startDate);
+				objList2.add(endDate);
+				
 				if(line.length() != 0){
-					sql += " and xl_bm = '"+line+"'";
+					sql += " and xl_bm = ?";
+					objList2.add(line);
 				}
  
 				ttList = jdbcTemplate.query(sql,
+						objList2.toArray(),
 						new RowMapper<Long>(){
 					@Override
 					public Long mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -303,17 +317,22 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 		Map<Long, Set<ChildTaskPlan>> schMap = new HashMap<Long, Set<ChildTaskPlan>>();
 		List<ChildTaskPlan> list = new ArrayList<ChildTaskPlan>();
  
+		List<Object> objList = new ArrayList<Object>();
 		String sql = "select id,cc_id,mileage_type,destroy,destroy_reason," +
 				" mileage,type1,type2,schedule from bsth_c_s_child_task" +
 				" where 1=1";
+		
 		if(schedule1 != null && schedule1 > 0){
-			sql += " and schedule >= '"+schedule1+"'";
+			sql += " and schedule >= ?";
+			objList.add(schedule1);
 		}
 		if(schedule2 != null && schedule2 > 0){
-			sql += " and schedule <= '"+schedule2+"'";
+			sql += " and schedule <= ?";
+			objList.add(schedule2);
 		}
  
 		list = jdbcTemplate.query(sql,
+				objList.toArray(),
 				new RowMapper<ChildTaskPlan>(){
 			@Override
 			public ChildTaskPlan mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -354,10 +373,12 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 		String line = map.get("line").toString();
  
 		try {
-
-			String sql = "select start_station_name, end_station_name from bsth_c_line where line_code = '"+line+"'";
+			List<String> objList = new ArrayList<String>();
+			String sql = "select start_station_name, end_station_name from bsth_c_line where line_code = ?";
+			objList.add(line);
  
 			list = jdbcTemplate.query(sql,
+					objList.toArray(),
 					new RowMapper<Map<String, Object>>(){
 				@Override
 				public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -393,16 +414,22 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 		String ttId = map.get("ttId").toString();
  
 		try {
+			List<String> objList = new ArrayList<String>();
 			String sql = "select td.lp, lp.lp_name from bsth_c_s_ttinfo_detail td" +
 					" left join bsth_c_s_gbi lp on td.lp = lp.id" +
 					" left join bsth_c_line cl on cl.id = td.xl where 1=1";
-			if(line.length() != 0)
-				sql += " and cl.line_code = '"+line+"'";
-			if(ttId.length() != 0)
-				sql += " and td.ttinfo = '"+ttId+"'";
+			if(line.length() != 0){
+				sql += " and cl.line_code = ?";
+				objList.add(line);
+			}
+			if(ttId.length() != 0){
+				sql += " and td.ttinfo = ?";
+				objList.add(ttId);
+			}
 			sql += " group by td.lp, lp.lp_name";
  
 			 list = jdbcTemplate.query(sql,
+					 objList.toArray(),
 					new RowMapper<Map<String, Object>>(){
 				@Override
 				public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2356,11 +2383,14 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 			endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
 		}
 		try {
-
-			String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str"
-					+ " >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'";
+			List<String> objList = new ArrayList<String>();
+			String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
+			objList.add(startDate);
+			objList.add(endDate);
+			
 			if(line.length() != 0){
-				sql += " and xl_bm = '"+line+"'";
+				sql += " and xl_bm = ?";
+				objList.add(line);
 			}
 			if(sfqr == 1 && times.length() != 0){
 				String[] split = times.split("-");
@@ -2375,14 +2405,17 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 				}
 			}
 			if(company.length() != 0){
-				sql += " and gs_bm = '"+company+"'";
+				sql += " and gs_bm = ?";
+				objList.add(company);
 			}
 			if(subCompany.length() != 0){
-				sql += " and fgs_bm = '"+subCompany+"'";
+				sql += " and fgs_bm = ?";
+				objList.add(subCompany);
 			}
 			sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
  
 			list = jdbcTemplate.query(sql,
+					objList.toArray(),
 					new RowMapper<ScheduleRealInfo>(){
 				@Override
 				public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -3170,20 +3203,30 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 		if(map.get("sfyy")!=null)
 			sfyy = map.get("sfyy").toString().trim();
  
+		List<String> objList = new ArrayList<String>();
 		String sql = "select id, cl_zbh, fcsj, fcsj_actual, j_gh, j_name, lp_name, qdz_name, " +
 				"schedule_date_str, xl_name, zdsj, zdsj_actual, fgs_bm, fgs_name, gs_name, xl_dir, xl_bm " +
 				"from bsth_c_s_sp_info_real " +
-				"where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"' " +
+				"where schedule_date_str >= ? and schedule_date_str <= ? " +
 				"and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and cc_service = 0";
+		objList.add(startDate);
+		objList.add(endDate);
  
-		if(company.length() != 0)
-			sql += " and gs_bm = '"+company+"'";
-		if(subCompany.length() != 0)
-			sql += " and fgs_bm = '"+subCompany+"'";
-		if(line.length() != 0)
-			sql += " and xl_bm = '"+line+"'";
+		if(company.length() != 0){
+			sql += " and gs_bm = ?";
+			objList.add(company);
+		}
+		if(subCompany.length() != 0){
+			sql += " and fgs_bm = ?";
+			objList.add(subCompany);
+		}
+		if(line.length() != 0){
+			sql += " and xl_bm = ?";
+			objList.add(line);
+		}
  
 		List<ScheduleRealInfo> list = jdbcTemplate.query(sql,
+				objList.toArray(),
 				new RowMapper<ScheduleRealInfo>(){
 			@Override
 			public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {