改掉sql拼接（sql注入漏洞）。

娄高锋
1 parent 6b52b7ba
Showing 1 changed file with 47 additions and 21 deletions
src/main/java/com/bsth/service/impl/BusIntervalServiceImpl.java
@@ -828,31 +828,38 @@ public class BusIntervalServiceImpl implements BusIntervalService {
  
 		try {
  
-			String where = "";
+			List<String> objList = new ArrayList<String>();
+			String sql = "select id, schedule_date_str, real_exec_date, xl_name, lp_name, bcs, bcsj, jhlc, bc_type, xl_bm, fgs_bm,"
+					+ " fcsj, fcsj_actual, zdsj, zdsj_actual, qdz_name, zdz_name, xl_dir, status, remarks, gs_name, fgs_name, sp_id"
+					+ " ,cc_service from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
+			objList.add(startDate);
+			objList.add(endDate);
+			
 			if(line.length() != 0 && statu.equals("1")){
-				where += " and xl_bm = '"+line+"'";
+				sql += " and xl_bm = ?";
+				objList.add(line);
 			}
 			if(lp.length() != 0 && statu.equals("1")){
-				where += " and lp_name = '"+lp+"'";
+				sql += " and lp_name = ?";
+				objList.add(lp);
 			}
 			if(company.length() != 0){
-				where += " and gs_bm = '"+company+"'";
+				sql += " and gs_bm = ?";
+				objList.add(company);
 			}
 			if(subCompany.length() != 0){
-				where += " and fgs_bm = '"+subCompany+"'";
+				sql += " and fgs_bm = ?";
+				objList.add(subCompany);
 			}
 			if(sfqr == 1){
-				where += " and zdsj >= '"+times1+"' and fcsj <= '"+times2+"'";
+				sql += " and zdsj >= ? and fcsj <= ?";
+				objList.add(times1);
+				objList.add(times2);
 			}
-//			where += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
-			where += " and bc_type != 'ldks'";
-			
-			String sql = "select id, schedule_date_str, real_exec_date, xl_name, lp_name, bcs, bcsj, jhlc, bc_type, xl_bm, fgs_bm,"
-					+ " fcsj, fcsj_actual, zdsj, zdsj_actual, qdz_name, zdz_name, xl_dir, status, remarks, gs_name, fgs_name, sp_id"
-					+ " ,cc_service from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"'"
-					+ " and schedule_date_str <= '"+endDate+"'"+where+"";
+			sql += " and bc_type != 'ldks'";
  
 			list = jdbcTemplate.query(sql,
+					objList.toArray(),
 					new RowMapper<ScheduleRealInfo>(){
 				@Override
 				public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -932,23 +939,32 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 			{
 				List<Map<String, String>> temp1 = new ArrayList<Map<String, String>>();
 				List<Map<String, String>> temp2 = new ArrayList<Map<String, String>>();
+				
+				List<String> objList2 = new ArrayList<String>();
 				sql = "select id, lp, fcsj, xl_bm, tt_info from bsth_c_s_sp_info where bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
  
 				if(startDate.equals(endDate)){
-					sql += " and schedule_date = '"+startDate+"'";
+					sql += " and schedule_date = ?";
+					objList2.add(startDate);
 				} else {
-					sql += " and schedule_date >= '"+startDate+"' and schedule_date <= '"+endDate+"'";
+					sql += " and schedule_date >= ? and schedule_date <= ?";
+					objList2.add(startDate);
+					objList2.add(endDate);
 				}
 				if(line.length() != 0 && statu.equals("1")){
-					sql += " and xl_bm = '"+line+"'";
+					sql += " and xl_bm = ?";
+					objList2.add(line);
 				}
 				if(company.length() != 0){
-					sql += " and gs_bm = '"+company+"'";
+					sql += " and gs_bm = ?";
+					objList2.add(company);
 				}
 				if(subCompany.length() != 0){
-					sql += " and fgs_bm = '"+subCompany+"'";
+					sql += " and fgs_bm = ?";
+					objList2.add(subCompany);
 				}
 				temp1 = jdbcTemplate.query(sql,
+						objList2.toArray(),
 						new RowMapper<Map<String, String>>(){
 					@Override
 					public Map<String, String> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -961,13 +977,17 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 						return m;
 					}
 				});
+				
+				List<String> objList3 = new ArrayList<String>();
 				sql = "select * from bsth_c_s_ttinfo_detail where ists = 1"
 						+ " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
  
 				if(line.length() != 0 && statu.equals("1")){
-					sql += " and xl = '"+line+"'";
+					sql += " and xl = ?";
+					objList3.add(line);
 				}
 				temp2 = jdbcTemplate.query(sql,
+						objList.toArray(),
 						new RowMapper<Map<String, String>>(){
 					@Override
 					public Map<String, String> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -998,6 +1018,7 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 				if(id1 == 0 || id1 > s.getId())
 					id1 = s.getId();
 			}
+			
 			sql = "select destroy, start_date, end_date, mileage, mileage_type, schedule from bsth_c_s_child_task";
 			sql += " where id >= "+id1+" and id <= "+id2+" order by start_date";
  
@@ -1017,12 +1038,17 @@ public class BusIntervalServiceImpl implements BusIntervalService {
 			});
  
 			if(model.length() != 0){
+				List<String> objList4 = new ArrayList<String>();
 				sql = "select sp.id from "
-						+ "(select id, tt_info, xl_bm, lp, fcsj from bsth_c_s_sp_info where schedule_date >= '"+startDate+"' and schedule_date <= '"+endDate+"'"
-						+ " and tt_info = '" + model + "' and bc_type != 'ldks') sp"
+						+ "(select id, tt_info, xl_bm, lp, fcsj from bsth_c_s_sp_info where schedule_date >= ? and schedule_date <= ?"
+						+ " and tt_info = ? and bc_type != 'ldks') sp"
 						+ " left join bsth_c_s_ttinfo_detail tt on sp.tt_info = tt.ttinfo and sp.xl_bm = tt.xl and sp.lp = tt.lp and sp.fcsj = tt.fcsj";
+				objList4.add(startDate);
+				objList4.add(endDate);
+				objList4.add(model);
  
 				ttList = jdbcTemplate.query(sql,
+						objList4.toArray(),
 						new RowMapper<Map<String, Object>>(){
 					@Override
 					public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {