fix: sql字符串拼接改为占位符形式，防sql注入

2026-01-01 20:26:39 +08:00 · 2022-10-31 18:39:52 +08:00
parent 2598a60898
commit 2e5589e112
7 changed files with 39 additions and 20 deletions
--- a/server/pkg/model/model.go
+++ b/server/pkg/model/model.go
@@ -217,7 +217,7 @@ func GetPageBySql(sql string, param *PageParam, toModel interface{}, args ...int
 	}
 	// 分页查询
 	limitSql := sql + " LIMIT " + strconv.Itoa((param.PageNum-1)*param.PageSize) + ", " + strconv.Itoa(param.PageSize)
-	err = db.Raw(limitSql).Scan(toModel).Error
+	err = db.Raw(limitSql, args...).Scan(toModel).Error
 	biz.ErrIsNil(err, "查询失败: %s")
 	return &PageResult{Total: int64(count), List: toModel}
 }