改掉sql拼接（sql注入漏洞）

娄高锋
1 parent 424002af
Showing 1 changed file with 18 additions and 11 deletions
src/main/java/com/bsth/service/calc/impl/CalcWaybillServiceImpl.java
@@ -190,14 +190,15 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl&lt;CalcWaybill, Integer
 				return newMap;
 			}
-//			String sql = "select c.id,c.out_config,c.start_opt,t.line_code from bsth_c_line_config c LEFT JOIN bsth_c_line t on c.line=t.id";
-			String sql="select xl_bm as line_code from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'";
+			List<String> objList = new ArrayList<String>();
+			objList.add(date);
+			String sql="select xl_bm as line_code from bsth_c_s_sp_info_real where schedule_date_str = ?";
 	        if(line.trim().length() > 0){
-	        	sql += " and xl_bm = '"+line+"'";
-//				sql += " where t.line_code = " + line;
+	        	sql += " and xl_bm = ?";
+	        	objList.add(line);
 	        }
 	        sql += " group by xl_bm";
-			List<Map<String, Object>> listLineConfig = jdbcTemplate.query(sql,
+			List<Map<String, Object>> listLineConfig = jdbcTemplate.query(sql, objList.toArray(),
 						new RowMapper<Map<String, Object>>(){
 					@Override
 					public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -209,11 +210,13 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl&lt;CalcWaybill, Integer
 						return m;
 			}});
+			List<String> xlObjList = new ArrayList<String>();
 			String xlSql="select line_code,spac_grade from bsth_c_line";
 			if(line.length() != 0){
-				xlSql += " where line_code ='"+line+"'";
+				xlSql += " where line_code = ?";
+				xlObjList.add(line);
 			}
-			List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, new RowMapper<Map<String, Object>>() {
+			List<Map<String, Object>> xlList=jdbcTemplate.query(xlSql, xlObjList.toArray(), new RowMapper<Map<String, Object>>() {
 				@Override
 				public Map<String, Object> mapRow(ResultSet arg0, int arg1) throws SQLException {
 					Map<String, Object> map=new HashMap<String,Object>();
@@ -515,11 +518,15 @@ public class CalcWaybillServiceImpl extends BaseServiceImpl&lt;CalcWaybill, Integer
 		        List<ScheduleRealInfo> list_s = new ArrayList<ScheduleRealInfo>();
 		        List<ScheduleRealInfo> lists = new ArrayList<ScheduleRealInfo>();
-		        String gsSql="select gs_bm, fgs_bm from bsth_c_s_sp_info_real where schedule_date_str = '"+rq+"'";
-		        if(line.trim().length() > 0)
-		        	gsSql += " and xl_bm = '"+line+"'";
+		        List<String> objList = new ArrayList<String>();
+		        objList.add(rq);
+		        String gsSql="select gs_bm, fgs_bm from bsth_c_s_sp_info_real where schedule_date_str = ?";
+		        if(line.trim().length() > 0){
+		        	gsSql += " and xl_bm = ?";
+		        	objList.add(line);
+		        }
 				gsSql += " group by gs_bm, fgs_bm";
-				List<Map<String, String>> gsList=jdbcTemplate.query(gsSql, new RowMapper<Map<String, String>>() {
+				List<Map<String, String>> gsList=jdbcTemplate.query(gsSql, objList.toArray(), new RowMapper<Map<String, String>>() {
 					@Override
 					public Map<String, String> mapRow(ResultSet arg0, int arg1) throws SQLException {
 						Map<String, String> m = new HashMap<String, String>();