潘钊 / bsth_control · Commits

Commit e2819b0595bec364804a77d0d20fbac67319c287

Authored by 娄高锋
1 parent def55653
build: skipped

改掉sql拼接(sql注入漏洞)。

Inline Side-by-side
Showing 1 changed file with 130 additions and 55 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @e2819b0
... ... @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47  
48 48 try {
49   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'";
  49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52  
51   - if(line.length() != 0)
52   - sql += " and xl_bm = '"+line+"'";
53   - if(company.length() != 0)
54   - sql += " and gs_bm = '"+company+"'";
55   - if(subCompany.length() != 0)
56   - sql += " and fgs_bm = '"+subCompany+"'";
  53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65  
58 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67  
60 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 70 new RowMapper<ScheduleRealInfo>(){
62 71 @Override
63 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 202 }
194 203  
195 204 try {
196   -
197   - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'";
  205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 209 if(line.length() != 0){
199   - sql += " and xl_bm = '"+line+"'";
  210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 220 }
201   - if(company.length() != 0)
202   - sql += " and gs_bm = '"+company+"'";
203   - if(subCompany.length() != 0)
204   - sql += " and fgs_bm = '"+subCompany+"'";
205 221  
206 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 224 new RowMapper<SchedulePlanInfo>(){
208 225 @Override
209 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -609,19 +626,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
609 626 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
610 627 }
611 628 try {
612   -
  629 + List<String> objList = new ArrayList<String>();
613 630 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
614 631 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
615   - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate
616   - +"' and schedule_date_str <= '"+endDate+"'";
  632 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  633 + +" and schedule_date_str <= ?";
  634 + objList.add(startDate);
  635 + objList.add(endDate);
  636 +
617 637 if(line.length() != 0){
618   - sql += " and xl_bm = '"+line+"'";
  638 + sql += " and xl_bm = ?";
  639 + objList.add(line);
619 640 }
620 641 if(company.length() != 0){
621   - sql += " and gs_bm = '"+company+"'";
  642 + sql += " and gs_bm = ?";
  643 + objList.add(company);
622 644 }
623 645 if(subCompany.length() != 0){
624   - sql += " and fgs_bm = '"+subCompany+"'";
  646 + sql += " and fgs_bm = ?";
  647 + objList.add(subCompany);
625 648 }
626 649 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
627 650 if(Integer.valueOf(bcType) == 1){
... ... @@ -630,6 +653,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
630 653 sql += " and bc_type = 'region'";
631 654 }
632 655 list = jdbcTemplate.query(sql,
  656 + objList.toArray(),
633 657 new RowMapper<ScheduleRealInfo>(){
634 658 @Override
635 659 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -923,19 +947,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
923 947 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
924 948 }
925 949 try {
926   -
927   - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'";
  950 + List<String> objList = new ArrayList<String>();
  951 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  952 + objList.add(startDate);
  953 + objList.add(endDate);
  954 +
928 955 if(line.length() != 0){
929   - sql += " and xl_bm = '"+line+"'";
  956 + sql += " and xl_bm = ?";
  957 + objList.add(line);
930 958 }
931 959 if(nbbm.length() != 0){
932   - sql += " and cl_zbh like '%"+nbbm+"%'";
  960 + sql += " and cl_zbh like ?";
  961 + objList.add("%" + nbbm + "%");
933 962 }
934 963 if(company.length() != 0){
935   - sql += " and gs_bm like '"+company+"'";
  964 + sql += " and gs_bm = ?";
  965 + objList.add(company);
936 966 }
937 967 if(subCompany.length() != 0){
938   - sql += " and fgs_bm like '"+subCompany+"'";
  968 + sql += " and fgs_bm = ?";
  969 + objList.add(subCompany);
939 970 }
940 971 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
941 972 if(bcType.trim().equals("1")){
... ... @@ -945,6 +976,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
945 976 }
946 977  
947 978 list = jdbcTemplate.query(sql,
  979 + objList.toArray(),
948 980 new RowMapper<ScheduleRealInfo>(){
949 981 @Override
950 982 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1214,20 +1246,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1214 1246 isCancel = map.get("isCancel").toString().trim();
1215 1247 }
1216 1248 try {
  1249 + List<String> objList = new ArrayList<String>();
1217 1250 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1218 1251 " (select tt_info from bsth_c_s_sp_info where 1=1";
1219   - if(startDate.trim().length() > 0)
1220   - sql += " and schedule_date >= '"+startDate+"'";
1221   - if(endDate.trim().length() > 0)
1222   - sql += " and schedule_date <= '"+endDate+"'";
  1252 +
  1253 + if(startDate.trim().length() > 0){
  1254 + sql += " and schedule_date >= ?";
  1255 + objList.add(startDate);
  1256 + }
  1257 + if(endDate.trim().length() > 0){
  1258 + sql += " and schedule_date <= ?";
  1259 + objList.add(endDate);
  1260 + }
1223 1261 if(line.trim().length() != 0){
1224   - sql += " and xl_bm = '"+line+"'";
  1262 + sql += " and xl_bm = ?";
  1263 + objList.add(line);
1225 1264 } else {
1226 1265 return resList;
1227 1266 }
1228 1267 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1229 1268  
1230 1269 resList = jdbcTemplate.query(sql,
  1270 + objList.toArray(),
1231 1271 new RowMapper<Map<String, Object>>(){
1232 1272 @Override
1233 1273 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1269,19 +1309,29 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1269 1309 date = sdf.format(new Date());
1270 1310  
1271 1311 try {
  1312 + List<String> objList = new ArrayList<String>();
1272 1313 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1273 1314 + " a.xl_bm, a.fgs_bm, a.cc_service, (select start_opt from bsth_c_line_config where id ="
1274 1315 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt"
1275   - + " from bsth_c_s_sp_info_real a where schedule_date_str = '"+date+"'"
  1316 + + " from bsth_c_s_sp_info_real a where schedule_date_str = ?"
1276 1317 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1277   - if(line.trim().length() != 0)
1278   - sql += " and xl_bm = '"+line+"'";
1279   - if(company.length() != 0)
1280   - sql += " and gs_bm = '"+company+"'";
1281   - if(subCompany.length() != 0)
1282   - sql += " and fgs_bm = '"+subCompany+"'";
  1318 + objList.add(date);
  1319 +
  1320 + if(line.trim().length() != 0){
  1321 + sql += " and xl_bm = ?";
  1322 + objList.add(line);
  1323 + }
  1324 + if(company.length() != 0){
  1325 + sql += " and gs_bm = ?";
  1326 + objList.add(company);
  1327 + }
  1328 + if(subCompany.length() != 0){
  1329 + sql += " and fgs_bm = ?";
  1330 + objList.add(subCompany);
  1331 + }
1283 1332  
1284 1333 list = jdbcTemplate.query(sql,
  1334 + objList.toArray(),
1285 1335 new RowMapper<ScheduleRealInfo>(){
1286 1336 @Override
1287 1337 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -1541,19 +1591,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1541 1591 }
1542 1592  
1543 1593 try {
  1594 + List<String> objList = new ArrayList<String>();
1544 1595 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1545 1596 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, (select start_opt from bsth_c_line_config where id = "
1546 1597 + " (select max(id) from bsth_c_line_config where line = (select id from bsth_c_line where line_code = a.xl_bm))) start_opt"
1547   - + " from bsth_c_s_sp_info_real a where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'"
  1598 + + " from bsth_c_s_sp_info_real a where schedule_date_str >= ? and schedule_date_str <= ?"
1548 1599 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1549   - if(line.length() != 0)
1550   - sql += " and xl_bm = '"+line+"'";
1551   - if(company.length() != 0)
1552   - sql += " and gs_bm = '"+company+"'";
1553   - if(subCompany.length() != 0)
1554   - sql += " and fgs_bm = '"+subCompany+"'";
  1600 + objList.add(startDate);
  1601 + objList.add(endDate);
  1602 +
  1603 + if(line.length() != 0){
  1604 + sql += " and xl_bm = ?";
  1605 + objList.add(line);
  1606 + }
  1607 + if(company.length() != 0){
  1608 + sql += " and gs_bm = ?";
  1609 + objList.add(company);
  1610 + }
  1611 + if(subCompany.length() != 0){
  1612 + sql += " and fgs_bm = ?";
  1613 + objList.add(subCompany);
  1614 + }
1555 1615  
1556 1616 list = jdbcTemplate.query(sql,
  1617 + objList.toArray(),
1557 1618 new RowMapper<ScheduleRealInfo>(){
1558 1619 @Override
1559 1620 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2159,24 +2220,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2159 2220 // String code = map.get("code").toString();
2160 2221 String type = map.get("type").toString();
2161 2222  
  2223 + List<String> objList = new ArrayList<String>();
2162 2224 String sql_="select * from bsth_c_s_sp_info_real "
2163   - + " WHERE schedule_date_str = '"+date+"' ";
  2225 + + " WHERE schedule_date_str = ? ";
  2226 + objList.add(date);
  2227 +
2164 2228 if(!line.equals("")){
2165   - sql_ += " and xl_bm = '"+line+"'";
  2229 + sql_ += " and xl_bm = ?";
  2230 + objList.add(line);
2166 2231 }
2167 2232 if(company.length() != 0){
2168   - sql_ += " and gs_bm='"+company+"'";
  2233 + sql_ += " and gs_bm = ?";
  2234 + objList.add(company);
2169 2235 }
2170 2236 if(subCompany.length() != 0){
2171   - sql_ += " and fgs_bm='"+subCompany+"'";
  2237 + sql_ += " and fgs_bm = ?";
  2238 + objList.add(subCompany);
2172 2239 }
2173 2240  
2174   -
2175 2241 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2176 2242 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2177 2243 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2178 2244  
2179 2245 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2246 + objList.toArray(),
2180 2247 new RowMapper<Map<String, Object>>(){
2181 2248 @Override
2182 2249 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2381,14 +2448,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2381 2448 // String code = map.get("code").toString();
2382 2449 String type = map.get("type").toString();
2383 2450  
  2451 + List<String> objList = new ArrayList<String>();
2384 2452 String sql_="select * from bsth_c_s_sp_info_real "
2385   - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'";
  2453 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2454 + objList.add(date);
  2455 + objList.add(line);
2386 2456  
2387 2457 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2388 2458 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2389 2459 + " order by r.xl_name,r.id ";
2390 2460  
2391 2461 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2462 + objList.toArray(),
2392 2463 new RowMapper<Map<String, Object>>(){
2393 2464 @Override
2394 2465 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ... @@ -2586,14 +2657,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2586 2657 if(map.get("type")!=null)
2587 2658 type = map.get("type").toString().trim();
2588 2659  
2589   - String sql_="select * from bsth_c_s_sp_info_real "
2590   - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'";
  2660 + List<String> objList = new ArrayList<String>();
  2661 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2662 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2663 + objList.add(date);
  2664 + objList.add(jgh);
2591 2665  
2592 2666 if(!line.equals("")){
2593   - sql_ +=" and xl_bm = '"+line+"'";
  2667 + sql_ +=" and xl_bm = ?";
  2668 + objList.add(line);
2594 2669 }
2595 2670  
2596   -
2597 2671 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2598 2672 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2599 2673 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
... ... @@ -2602,6 +2676,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2602 2676  
2603 2677  
2604 2678 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2679 + objList.toArray(),
2605 2680 new RowMapper<Map<String, Object>>(){
2606 2681 @Override
2607 2682 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
... ...