fxz/RuoYi-Vue-Mirror
1
0
Fork 0
mirror of https://gitee.com/y_project/RuoYi-Vue.git synced 2026-05-22 17:58:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

update sqlkeyword

Browse Source
This commit is contained in:
RuoYi
2026-03-30 16:35:58 +08:00
parent 0e2d75c23c
commit b3a2572410
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+4 -3
View File
@@ -13,7 +13,7 @@ public class SqlUtil
/** /**
* 定义常用的 sql关键字 * 定义常用的 sql关键字
*/ */
public static String SQL_REGEX = "\u000B|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()"; public static String SQL_REGEX = "\u000B|%0A|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";
/** /**
* 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序) * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序)
@@ -58,12 +58,13 @@ public class SqlUtil
{ {
return; return;
} }
String normalizedValue = value.replaceAll("\\p{Z}|\\s", "");
String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|"); String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
for (String sqlKeyword : sqlKeywords) for (String sqlKeyword : sqlKeywords)
{ {
if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1) if (StringUtils.indexOfIgnoreCase(normalizedValue, sqlKeyword) > -1)
{ {
throw new UtilException("参数存在SQL注入风险"); throw new UtilException("请求参数包含敏感关键词'" + sqlKeyword + "',可能存在安全风险");
} }
} }
} }