Commit d787b088efda2ac421ce452b7f2dc29a11df0332
1 parent
424002af
改掉sql拼接(sql注入漏洞)
Showing
1 changed file
with
18 additions
and
11 deletions
src/main/java/com/bsth/service/calc/impl/CalcWaybillServiceImpl.java
| ... | ... | @@ -190,14 +190,15 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl<CalcWaybill, Integer |
| 190 | 190 | return newMap; |
| 191 | 191 | } |
| 192 | 192 | |
| 193 | -// String sql = "select c.id,c.out_config,c.start_opt,t.line_code from bsth_c_line_config c LEFT JOIN bsth_c_line t on c.line=t.id"; | |
| 194 | - String sql="select xl_bm as line_code from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'"; | |
| 193 | + List<String> objList = new ArrayList<String>(); | |
| 194 | + objList.add(date); | |
| 195 | + String sql="select xl_bm as line_code from bsth_c_s_sp_info_real where schedule_date_str = ?"; | |
| 195 | 196 | if(line.trim().length() > 0){ |
| 196 | - sql += " and xl_bm = '"+line+"'"; | |
| 197 | -// sql += " where t.line_code = " + line; | |
| 197 | + sql += " and xl_bm = ?"; | |
| 198 | + objList.add(line); | |
| 198 | 199 | } |
| 199 | 200 | sql += " group by xl_bm"; |
| 200 | - List<Map<String, Object>> listLineConfig = jdbcTemplate.query(sql, | |
| 201 | + List<Map<String, Object>> listLineConfig = jdbcTemplate.query(sql, objList.toArray(), | |
| 201 | 202 | new RowMapper<Map<String, Object>>(){ |
| 202 | 203 | @Override |
| 203 | 204 | public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { |
| ... | ... | @@ -209,11 +210,13 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl<CalcWaybill, Integer |
| 209 | 210 | return m; |
| 210 | 211 | }}); |
| 211 | 212 | |
| 213 | + List<String> xlObjList = new ArrayList<String>(); | |
| 212 | 214 | String xlSql="select line_code,spac_grade from bsth_c_line"; |
| 213 | 215 | if(line.length() != 0){ |
| 214 | - xlSql += " where line_code ='"+line+"'"; | |
| 216 | + xlSql += " where line_code = ?"; | |
| 217 | + xlObjList.add(line); | |
| 215 | 218 | } |
| 216 | - List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, new RowMapper<Map<String, Object>>() { | |
| 219 | + List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, xlObjList.toArray(), new RowMapper<Map<String, Object>>() { | |
| 217 | 220 | @Override |
| 218 | 221 | public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException { |
| 219 | 222 | Map<String, Object> map=new HashMap<String,Object>(); |
| ... | ... | @@ -515,11 +518,15 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl<CalcWaybill, Integer |
| 515 | 518 | List<ScheduleRealInfo> list_s = new ArrayList<ScheduleRealInfo>(); |
| 516 | 519 | List<ScheduleRealInfo> lists = new ArrayList<ScheduleRealInfo>(); |
| 517 | 520 | |
| 518 | - String gsSql="select gs_bm, fgs_bm from bsth_c_s_sp_info_real where schedule_date_str = '"+rq+"'"; | |
| 519 | - if(line.trim().length() > 0) | |
| 520 | - gsSql += " and xl_bm = '"+line+"'"; | |
| 521 | + List<String> objList = new ArrayList<String>(); | |
| 522 | + objList.add(rq); | |
| 523 | + String gsSql="select gs_bm, fgs_bm from bsth_c_s_sp_info_real where schedule_date_str = ?"; | |
| 524 | + if(line.trim().length() > 0){ | |
| 525 | + gsSql += " and xl_bm = ?"; | |
| 526 | + objList.add(line); | |
| 527 | + } | |
| 521 | 528 | gsSql += " group by gs_bm, fgs_bm"; |
| 522 | - List<Map<String, String>> gsList=jdbcTemplate.query(gsSql, new RowMapper<Map<String, String>>() { | |
| 529 | + List<Map<String, String>> gsList=jdbcTemplate.query(gsSql, objList.toArray(), new RowMapper<Map<String, String>>() { | |
| 523 | 530 | @Override |
| 524 | 531 | public Map<String, String> mapRow(ResultSet arg0, int arg1) throws SQLException { |
| 525 | 532 | Map<String, String> m = new HashMap<String, String>(); | ... | ... |