潘钊 / bsth_control · Commits

Commit 94af6803f2f7b2263de5c33824603cd59204febd

Authored by 娄高锋
1 parent b22c203d

改掉sql拼接(sql注入漏洞)。 

# Conflicts:
#	src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
Inline Side-by-side
Showing 1 changed file with 130 additions and 55 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @94af680
... ... @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47  
48 48 try {
49   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'";
  49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52  
51   - if(line.length() != 0)
52   - sql += " and xl_bm = '"+line+"'";
53   - if(company.length() != 0)
54   - sql += " and gs_bm = '"+company+"'";
55   - if(subCompany.length() != 0)
56   - sql += " and fgs_bm = '"+subCompany+"'";
  53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65  
58 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67  
60 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 70 new RowMapper<ScheduleRealInfo>(){
62 71 @Override
63 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 202 }
194 203  
195 204 try {
196   -
197   - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'";
  205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 209 if(line.length() != 0){
199   - sql += " and xl_bm = '"+line+"'";
  210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 220 }
201   - if(company.length() != 0)
202   - sql += " and gs_bm = '"+company+"'";
203   - if(subCompany.length() != 0)
204   - sql += " and fgs_bm = '"+subCompany+"'";
205 221  
206 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 224 new RowMapper<SchedulePlanInfo>(){
208 225 @Override
209 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -601,19 +618,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
601 618 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
602 619 }
603 620 try {
604   -
  621 + List<String> objList = new ArrayList<String>();
605 622 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
606 623 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
607   - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate
608   - +"' and schedule_date_str <= '"+endDate+"'";
  624 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  625 + +" and schedule_date_str <= ?";
  626 + objList.add(startDate);
  627 + objList.add(endDate);
  628 +
609 629 if(line.length() != 0){
610   - sql += " and xl_bm = '"+line+"'";
  630 + sql += " and xl_bm = ?";
  631 + objList.add(line);
611 632 }
612 633 if(company.length() != 0){
613   - sql += " and gs_bm = '"+company+"'";
  634 + sql += " and gs_bm = ?";
  635 + objList.add(company);
614 636 }
615 637 if(subCompany.length() != 0){
616   - sql += " and fgs_bm = '"+subCompany+"'";
  638 + sql += " and fgs_bm = ?";
  639 + objList.add(subCompany);
617 640 }
618 641 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
619 642 if(Integer.valueOf(bcType) == 1){
... ... @@ -622,6 +645,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
622 645 sql += " and bc_type = 'region'";
623 646 }
624 647 list = jdbcTemplate.query(sql,
  648 + objList.toArray(),
625 649 new RowMapper<ScheduleRealInfo>(){
626 650 @Override
627 651 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -915,19 +939,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
915 939 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
916 940 }
917 941 try {
918   -
919   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'";
  942 + List<String> objList = new ArrayList<String>();
  943 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  944 + objList.add(startDate);
  945 + objList.add(endDate);
  946 +
920 947 if(line.length() != 0){
921   - sql += " and xl_bm = '"+line+"'";
  948 + sql += " and xl_bm = ?";
  949 + objList.add(line);
922 950 }
923 951 if(nbbm.length() != 0){
924   - sql += " and cl_zbh like '%"+nbbm+"%'";
  952 + sql += " and cl_zbh like ?";
  953 + objList.add("%" + nbbm + "%");
925 954 }
926 955 if(company.length() != 0){
927   - sql += " and gs_bm like '"+company+"'";
  956 + sql += " and gs_bm = ?";
  957 + objList.add(company);
928 958 }
929 959 if(subCompany.length() != 0){
930   - sql += " and fgs_bm like '"+subCompany+"'";
  960 + sql += " and fgs_bm = ?";
  961 + objList.add(subCompany);
931 962 }
932 963 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
933 964 if(bcType.trim().equals("1")){
... ... @@ -937,6 +968,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
937 968 }
938 969  
939 970 list = jdbcTemplate.query(sql,
  971 + objList.toArray(),
940 972 new RowMapper<ScheduleRealInfo>(){
941 973 @Override
942 974 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1206,20 +1238,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1206 1238 isCancel = map.get("isCancel").toString().trim();
1207 1239 }
1208 1240 try {
  1241 + List<String> objList = new ArrayList<String>();
1209 1242 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1210 1243 " (select tt_info from bsth_c_s_sp_info where 1=1";
1211   - if(startDate.trim().length() > 0)
1212   - sql += " and schedule_date >= '"+startDate+"'";
1213   - if(endDate.trim().length() > 0)
1214   - sql += " and schedule_date <= '"+endDate+"'";
  1244 +
  1245 + if(startDate.trim().length() > 0){
  1246 + sql += " and schedule_date >= ?";
  1247 + objList.add(startDate);
  1248 + }
  1249 + if(endDate.trim().length() > 0){
  1250 + sql += " and schedule_date <= ?";
  1251 + objList.add(endDate);
  1252 + }
1215 1253 if(line.trim().length() != 0){
1216   - sql += " and xl_bm = '"+line+"'";
  1254 + sql += " and xl_bm = ?";
  1255 + objList.add(line);
1217 1256 } else {
1218 1257 return resList;
1219 1258 }
1220 1259 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1221 1260  
1222 1261 resList = jdbcTemplate.query(sql,
  1262 + objList.toArray(),
1223 1263 new RowMapper<Map<String, Object>>(){
1224 1264 @Override
1225 1265 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1261,18 +1301,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1261 1301 date = sdf.format(new Date());
1262 1302  
1263 1303 try {
  1304 + List<String> objList = new ArrayList<String>();
1264 1305 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1265 1306 + " a.xl_bm, a.fgs_bm, a.cc_service, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b on a.xl_bm = b.line"
1266   - + " where schedule_date_str = '"+date+"'"
  1307 + + " where schedule_date_str = ?"
1267 1308 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1268   - if(line.trim().length() != 0)
1269   - sql += " and xl_bm = '"+line+"'";
1270   - if(company.length() != 0)
1271   - sql += " and gs_bm = '"+company+"'";
1272   - if(subCompany.length() != 0)
1273   - sql += " and fgs_bm = '"+subCompany+"'";
  1309 + objList.add(date);
  1310 +
  1311 + if(line.trim().length() != 0){
  1312 + sql += " and xl_bm = ?";
  1313 + objList.add(line);
  1314 + }
  1315 + if(company.length() != 0){
  1316 + sql += " and gs_bm = ?";
  1317 + objList.add(company);
  1318 + }
  1319 + if(subCompany.length() != 0){
  1320 + sql += " and fgs_bm = ?";
  1321 + objList.add(subCompany);
  1322 + }
1274 1323  
1275 1324 list = jdbcTemplate.query(sql,
  1325 + objList.toArray(),
1276 1326 new RowMapper<ScheduleRealInfo>(){
1277 1327 @Override
1278 1328 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1532,19 +1582,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1532 1582 }
1533 1583  
1534 1584 try {
  1585 + List<String> objList = new ArrayList<String>();
1535 1586 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1536 1587 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b "
1537 1588 + " on a.xl_bm = b.line"
1538   - + " where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'"
  1589 + + " where schedule_date_str >= ? and schedule_date_str <= ?"
1539 1590 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1540   - if(line.length() != 0)
1541   - sql += " and xl_bm = '"+line+"'";
1542   - if(company.length() != 0)
1543   - sql += " and gs_bm = '"+company+"'";
1544   - if(subCompany.length() != 0)
1545   - sql += " and fgs_bm = '"+subCompany+"'";
  1591 + objList.add(startDate);
  1592 + objList.add(endDate);
  1593 +
  1594 + if(line.length() != 0){
  1595 + sql += " and xl_bm = ?";
  1596 + objList.add(line);
  1597 + }
  1598 + if(company.length() != 0){
  1599 + sql += " and gs_bm = ?";
  1600 + objList.add(company);
  1601 + }
  1602 + if(subCompany.length() != 0){
  1603 + sql += " and fgs_bm = ?";
  1604 + objList.add(subCompany);
  1605 + }
1546 1606  
1547 1607 list = jdbcTemplate.query(sql,
  1608 + objList.toArray(),
1548 1609 new RowMapper<ScheduleRealInfo>(){
1549 1610 @Override
1550 1611 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2150,24 +2211,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2150 2211 // String code = map.get("code").toString();
2151 2212 String type = map.get("type").toString();
2152 2213  
  2214 + List<String> objList = new ArrayList<String>();
2153 2215 String sql_="select * from bsth_c_s_sp_info_real "
2154   - + " WHERE schedule_date_str = '"+date+"' ";
  2216 + + " WHERE schedule_date_str = ? ";
  2217 + objList.add(date);
  2218 +
2155 2219 if(!line.equals("")){
2156   - sql_ += " and xl_bm = '"+line+"'";
  2220 + sql_ += " and xl_bm = ?";
  2221 + objList.add(line);
2157 2222 }
2158 2223 if(company.length() != 0){
2159   - sql_ += " and gs_bm='"+company+"'";
  2224 + sql_ += " and gs_bm = ?";
  2225 + objList.add(company);
2160 2226 }
2161 2227 if(subCompany.length() != 0){
2162   - sql_ += " and fgs_bm='"+subCompany+"'";
  2228 + sql_ += " and fgs_bm = ?";
  2229 + objList.add(subCompany);
2163 2230 }
2164 2231  
2165   -
2166 2232 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2167 2233 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2168 2234 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2169 2235  
2170 2236 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2237 + objList.toArray(),
2171 2238 new RowMapper<Map<String, Object>>(){
2172 2239 @Override
2173 2240 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2372,14 +2439,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2372 2439 // String code = map.get("code").toString();
2373 2440 String type = map.get("type").toString();
2374 2441  
  2442 + List<String> objList = new ArrayList<String>();
2375 2443 String sql_="select * from bsth_c_s_sp_info_real "
2376   - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'";
  2444 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2445 + objList.add(date);
  2446 + objList.add(line);
2377 2447  
2378 2448 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2379 2449 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2380 2450 + " order by r.xl_name,r.id ";
2381 2451  
2382 2452 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2453 + objList.toArray(),
2383 2454 new RowMapper<Map<String, Object>>(){
2384 2455 @Override
2385 2456 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2577,14 +2648,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2577 2648 if(map.get("type")!=null)
2578 2649 type = map.get("type").toString().trim();
2579 2650  
2580   - String sql_="select * from bsth_c_s_sp_info_real "
2581   - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'";
  2651 + List<String> objList = new ArrayList<String>();
  2652 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2653 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2654 + objList.add(date);
  2655 + objList.add(jgh);
2582 2656  
2583 2657 if(!line.equals("")){
2584   - sql_ +=" and xl_bm = '"+line+"'";
  2658 + sql_ +=" and xl_bm = ?";
  2659 + objList.add(line);
2585 2660 }
2586 2661  
2587   -
2588 2662 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2589 2663 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2590 2664 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
... ... @@ -2593,6 +2667,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2593 2667  
2594 2668  
2595 2669 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2670 + objList.toArray(),
2596 2671 new RowMapper<Map<String, Object>>(){
2597 2672 @Override
2598 2673 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ...