New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
指定排序setOrderBy,里面的方法强制检查sql注入,无法使用单引号 #783
Milestone
Comments
有一个不检查的方法你试试 |
哪一个? |
已有项目存在一些类似的使用,没办法直接升级了,想要使用新功能,就必须修改原有代码。 |
不这样就影响漏洞检测。。 下个版本加个参数允许关闭。 |
当前的设计不支持参数控制order by,后续考虑集成 mybatis-config 后再支持。 |
建议增加方法重载可传入参数配置是否需要开启order by sql注入检查而不是全局开关,很多时候参数都是后端直接生成的不是前端传过来的这时候很确定不可能有sql注入,白白浪费性能来检测 |
可以来个PR试试。 建议在自己框架封装个新的PageHelper静态方法,调用不检查注入的方法。(不是PR的建议) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
String orderBy = "isnull(A.SerialNumber,'ZZZZZZZZZZZ'),A.Sort asc";
当使用这样的排序时,发现底层代码使用了SqlSafeUtil.check(orderBy)强制验证sql注入,且简单粗爆不能使用单引号,引发异常。
判断代码:
public Page setOrderBy(String orderBy) {
if (SqlSafeUtil.check(orderBy)) {
throw new PageException("order by [" + orderBy + "] has a risk of SQL injection, if you want to avoid SQL injection verification, you can call Page.setUnsafeOrderBy");
} else {
this.orderBy = orderBy;
return this;
}
}
异常信息放在这里
Invalid property 'unsafeOrderBy' of bean class [com.github.pagehelper.Page]: Bean property 'unsafeOrderBy' is not readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?
功能建议
优化判断,允许自已决定是否开启sql注入检查
The text was updated successfully, but these errors were encountered: