github/RuoYi-Vue
4
0
Fork 1
mirror of https://gitee.com/y_project/RuoYi-Vue.git synced 2026-04-30 00:00:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

update sqlkeyword

Browse Source
This commit is contained in:
RuoYi
2026-03-30 16:35:58 +08:00
parent 0e2d75c23c
commit b3a2572410
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+4 -3
View File
@@ -13,7 +13,7 @@ public class SqlUtil
/**
* 定义常用的 sql关键字
*/
public static String SQL_REGEX = "\u000B|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";
public static String SQL_REGEX = "\u000B|%0A|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";
/**
* 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序)
@@ -58,12 +58,13 @@ public class SqlUtil
{
return;
}
String normalizedValue = value.replaceAll("\\p{Z}|\\s", "");
String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
for (String sqlKeyword : sqlKeywords)
{
if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1)
if (StringUtils.indexOfIgnoreCase(normalizedValue, sqlKeyword) > -1)
{
throw new UtilException("参数存在SQL注入风险");
throw new UtilException("请求参数包含敏感关键词'" + sqlKeyword + "',可能存在安全风险");
}
}
}