fix: sql字符串拼接改为占位符形式，防sql注入

2025-11-04 00:10:25 +08:00 · 2022-10-31 18:39:52 +08:00
parent f936331dff
commit 74e5ee41fb
7 changed files with 39 additions and 20 deletions
--- a/server/internal/db/infrastructure/persistence/db.go
+++ b/server/internal/db/infrastructure/persistence/db.go
@@ -19,20 +19,25 @@ func newDbRepo() repository.Db {
 // 分页获取数据库信息列表
 func (d *dbRepoImpl) GetDbList(condition *entity.DbQuery, pageParam *model.PageParam, toEntity interface{}, orderBy ...string) *model.PageResult {
 	sql := "SELECT d.* FROM t_db d WHERE 1 = 1 "
 	values := make([]interface{}, 0)
 	if condition.Host != "" {
-		sql = sql + " AND d.host LIKE '%" + condition.Host + "%'"
+		sql = sql + " AND d.host LIKE ?"
 		values = append(values, "%"+condition.Host+"%")
 	}
 	if condition.Database != "" {
-		sql = sql + " AND d.database LIKE '%" + condition.Database + "%'"
+		sql = sql + " AND d.database LIKE ?"
 		values = append(values, "%"+condition.Database+"%")
 	}
 	if len(condition.TagIds) > 0 {
 		sql = sql + " AND d.tag_id IN " + fmt.Sprintf("(%s)", strings.Join(utils.NumberArr2StrArr(condition.TagIds), ","))
 	}
 	if condition.TagPathLike != "" {
-		sql = sql + " AND d.tag_path LIKE '" + condition.TagPathLike + "%'"
+		sql = sql + " AND d.tag_path LIKE ?"
 		values = append(values, "%"+condition.TagPathLike+"%")
 	}
 	sql = sql + " ORDER BY d.tag_path"
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 }
 func (d *dbRepoImpl) Count(condition *entity.DbQuery) int64 {
--- a/server/internal/machine/infrastructure/persistence/machine.go
+++ b/server/internal/machine/infrastructure/persistence/machine.go
@@ -19,20 +19,25 @@ func newMachineRepo() repository.Machine {
 // 分页获取机器信息列表
 func (m *machineRepoImpl) GetMachineList(condition *entity.MachineQuery, pageParam *model.PageParam, toEntity interface{}, orderBy ...string) *model.PageResult {
 	sql := "SELECT m.* FROM t_machine m WHERE 1 = 1 "
 	values := make([]interface{}, 0)
 	if condition.Ip != "" {
-		sql = sql + " AND m.ip LIKE '%" + condition.Ip + "%'"
+		sql = sql + " AND m.ip LIKE ?"
 		values = append(values, "%"+condition.Ip+"%")
 	}
 	if condition.Name != "" {
-		sql = sql + " AND m.name LIKE '%" + condition.Name + "%'"
+		sql = sql + " AND m.name LIKE ?"
 		values = append(values, "%"+condition.Name+"%")
 	}
 	if len(condition.TagIds) > 0 {
 		sql = fmt.Sprintf("%s AND m.tag_id IN (%s) ", sql, strings.Join(utils.NumberArr2StrArr(condition.TagIds), ","))
 	}
 	if condition.TagPathLike != "" {
-		sql = sql + " AND m.tag_path LIKE '" + condition.TagPathLike + "%'"
+		sql = sql + " AND m.tag_path LIKE ?"
 		values = append(values, condition.TagPathLike+"%")
 	}
 	sql = sql + " ORDER BY m.tag_path"
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 }
 func (m *machineRepoImpl) Count(condition *entity.MachineQuery) int64 {
--- a/server/internal/mongo/infrastructure/persistence/mongo_repo.go
+++ b/server/internal/mongo/infrastructure/persistence/mongo_repo.go
@@ -23,11 +23,14 @@ func (d *mongoRepoImpl) GetList(condition *entity.MongoQuery, pageParam *model.P
 	if len(condition.TagIds) > 0 {
 		sql = sql + " AND d.tag_id IN " + fmt.Sprintf("(%s)", strings.Join(utils.NumberArr2StrArr(condition.TagIds), ","))
 	}
 	values := make([]interface{}, 0)
 	if condition.TagPathLike != "" {
-		sql = sql + " AND d.tag_path LIKE '" + condition.TagPathLike + "%'"
+		values = append(values, condition.TagPathLike+"%")
 		sql = sql + " AND d.tag_path LIKE ?"
 	}
 	sql = sql + " ORDER BY d.tag_path"
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 }
 func (d *mongoRepoImpl) Count(condition *entity.MongoQuery) int64 {
--- a/server/internal/redis/infrastructure/persistence/redis_repo.go
+++ b/server/internal/redis/infrastructure/persistence/redis_repo.go
@@ -19,18 +19,20 @@ func newRedisRepo() repository.Redis {
 // 分页获取机器信息列表
 func (r *redisRepoImpl) GetRedisList(condition *entity.RedisQuery, pageParam *model.PageParam, toEntity interface{}, orderBy ...string) *model.PageResult {
 	sql := "SELECT d.* FROM t_redis d WHERE 1=1  "
-
+	values := make([]interface{}, 0)
 	if condition.Host != "" {
-		sql = sql + " AND d.host LIKE '%" + condition.Host + "%'"
+		sql = sql + " AND d.host LIKE ?"
 		values = append(values, "%"+condition.Host+"%")
 	}
 	if len(condition.TagIds) > 0 {
 		sql = sql + " AND d.tag_id IN " + fmt.Sprintf("(%s)", strings.Join(utils.NumberArr2StrArr(condition.TagIds), ","))
 	}
 	if condition.TagPathLike != "" {
-		sql = sql + " AND d.tag_path LIKE '" + condition.TagPathLike + "%'"
+		sql = sql + " AND d.tag_path LIKE ?"
 		values = append(values, condition.TagPathLike+"%")
 	}
 	sql = sql + " ORDER BY d.tag_path"
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 }
 func (r *redisRepoImpl) Count(condition *entity.RedisQuery) int64 {
--- a/server/internal/sys/infrastructure/persistence/account_repo.go
+++ b/server/internal/sys/infrastructure/persistence/account_repo.go
@@ -20,11 +20,12 @@ func (a *accountRepoImpl) GetAccount(condition *entity.Account, cols ...string)
 func (m *accountRepoImpl) GetPageList(condition *entity.Account, pageParam *model.PageParam, toEntity interface{}, orderBy ...string) *model.PageResult {
 	sql := "SELECT * FROM t_sys_account "
 	username := condition.Username
 	values := make([]interface{}, 0)
 	if username != "" {
-		sql = sql + " WHERE username LIKE '%" + username + "%'"
+		sql = sql + " WHERE username LIKE ?"
 		values = append(values, "%"+username+"%")
 	}
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 	// return model.GetPage(pageParam, condition, toEntity, orderBy...)
 }
 func (m *accountRepoImpl) Insert(account *entity.Account) {
--- a/server/internal/tag/infrastructure/persistence/team_member.go
+++ b/server/internal/tag/infrastructure/persistence/team_member.go
@@ -31,11 +31,14 @@ func (p *teamMemberRepoImpl) GetPageList(condition *entity.TeamMember, pageParam
 	if condition.TeamId != 0 {
 		sql = fmt.Sprintf("%s AND d.team_id = %d", sql, condition.TeamId)
 	}
 	values := make([]interface{}, 0)
 	if condition.Username != "" {
-		sql = sql + " AND d.Username LIKE '%" + condition.Username + "%'"
+		sql = sql + " AND d.Username LIKE ?"
 		values = append(values, "%"+condition.Username+"%")
 	}
 	sql = sql + " ORDER BY d.id DESC"
-	return model.GetPageBySql(sql, pageParam, toEntity)
+	return model.GetPageBySql(sql, pageParam, toEntity, values...)
 }
 func (p *teamMemberRepoImpl) DeleteBy(condition *entity.TeamMember) {
--- a/server/pkg/model/model.go
+++ b/server/pkg/model/model.go
@@ -217,7 +217,7 @@ func GetPageBySql(sql string, param *PageParam, toModel interface{}, args ...int
 	}
 	// 分页查询
 	limitSql := sql + " LIMIT " + strconv.Itoa((param.PageNum-1)*param.PageSize) + ", " + strconv.Itoa(param.PageSize)
-	err = db.Raw(limitSql).Scan(toModel).Error
+	err = db.Raw(limitSql, args...).Scan(toModel).Error
 	biz.ErrIsNil(err, "查询失败: %s")
 	return &PageResult{Total: int64(count), List: toModel}
 }