5 éve · 3212423620
--- a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
+++ b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
@@ -55,6 +55,8 @@ import java.util.ArrayList;
 
				 import java.util.HashMap;
			
 
				 import java.util.List;
			
 
				 import java.util.Map;
			
 
				+import java.util.regex.Matcher;
			
 
				+import java.util.regex.Pattern;
			
 
				 
			
 
				 /**
			
 
				  * 动态生成页面，需要后台配置自定义页数据
			
@@ -378,8 +380,16 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
				 		} catch (IOException e1) {
			
 
				 			e1.printStackTrace();
			
 
				 		}
			
 
				+		Map<String, Object> searchMap = BasicUtil.assemblyRequestMap();
			
 
				+		searchMap.forEach((k,v)->{
			
 
				+			//sql注入过滤
			
 
				+			if(sqlFilter(v.toString())){
			
 
				+				searchMap.put(k,"");
			
 
				+			}
			
 
				+		});
			
 
				+
			
 
				 		//查询数量
			
 
				-		int count= contentBiz.getSearchCount(contentModel,fieldValueList,BasicUtil.assemblyRequestMap(),BasicUtil.getAppId(),categoryIds);
			
 
				+		int count= contentBiz.getSearchCount(contentModel,fieldValueList,searchMap,BasicUtil.getAppId(),categoryIds);
			
 
				 		int total = PageUtil.totalPage(count, size);
			
 
				 
			
 
				 		int pageNo = BasicUtil.getInt(ParserUtil.PAGE_NO, 1);
			
@@ -412,7 +422,6 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
				 		page.setPreUrl(preUrl);
			
 
				 		page.setLastUrl(lastUrl);
			
 
				 		map.put(ParserUtil.URL, BasicUtil.getUrl());
			
 
				-		Map<String, Object> searchMap = BasicUtil.assemblyRequestMap();
			
 
				 		searchMap.put(ParserUtil.PAGE_NO, pageNo);
			
 
				 		map.put(SEARCH, searchMap);
			
 
				 		map.put(ParserUtil.PAGE, page);
			
@@ -420,6 +429,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
				 		map.put(ParserUtil.IS_DO,false);
			
 
				 		//设置动态请求的模块路径
			
 
				 		map.put(ParserUtil.MODEL_NAME, "mcms");
			
 
				+
			
 
				 		//解析后的内容
			
 
				 		String content = "";
			
 
				 		try {
			
@@ -437,6 +447,11 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
				 		this.outString(response, content);
			
 
				 	}
			
 
				 
			
 
				+	public static boolean sqlFilter(String str){
			
 
				+		Pattern pattern= Pattern.compile("\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|;|\\+|'|%)");
			
 
				+		Matcher matcher=pattern.matcher(str);
			
 
				+		return matcher.find();
			
 
				+	}
			
 
				 
			
 
				 	private Map get(String key, List<Map> fields) {
			
 
				 		for (Map field : fields) {
			
@@ -472,4 +487,4 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
				 
			
 
				 
			
 
				 
			
 
				-}
			
 
				+}
			
--- a/src/main/java/net/mingsoft/cms/dao/IContentDao.xml
+++ b/src/main/java/net/mingsoft/cms/dao/IContentDao.xml
@@ -259,33 +259,33 @@
 
				 		<where>
			
 
				 			a.app_id = #{websiteId}
			
 
				 			<if test="ids!=null and ids!=''">
			
 
				-				and FIND_IN_SET(content_category_id,'${ids}')
			
 
				+				and FIND_IN_SET(content_category_id,#{ids})
			
 
				 			</if>
			
 
				 			<if test="map.content_title!=null">
			
 
				-			and a.content_title like CONCAT("%",'${map.content_title}',"%")
			
 
				+			and a.content_title like CONCAT("%",#{map.content_title},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_author!=null">
			
 
				-			and a.content_author like CONCAT("%",'${map.content_author}',"%")
			
 
				+			and a.content_author like CONCAT("%",#{map.content_author},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_source!=null">
			
 
				-			and a.content_source like CONCAT("%",'${map.content_source}',"%")
			
 
				+			and a.content_source like CONCAT("%",#{map.content_source},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_type!=null">
			
 
				-			and a.content_type like CONCAT("%",'${map.content_type}',"%")
			
 
				+			and a.content_type like CONCAT("%",#{map.content_type},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_description!=null">
			
 
				-			and a.content_description like CONCAT("%",'${map.content_description}',"%")
			
 
				+			and a.content_description like CONCAT("%",#{map.content_description},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_keyword!=null">
			
 
				-			and a.content_keyword like CONCAT("%",'${map.content_keyword}',"%")
			
 
				+			and a.content_keyword like CONCAT("%",#{map.content_keyword},"%")
			
 
				 			</if>
			
 
				 			<if test="map.content_details!=null">
			
 
				-			and a.content_details like CONCAT("%",'${map.content_details}',"%")
			
 
				+			and a.content_details like CONCAT("%",#{map.content_details},"%")
			
 
				 			</if>
			
 
				 			<if test="tableName!=null and tableName!='' and diyMap!=null">
			
 
				 				<foreach item="item" index="index" collection="diyList" open=""
			
 
				 						 separator="" close="">
			
 
				-					and d.${item.key} like CONCAT("%",'${item.value}',"%")
			
 
				+					and d.${item.key} like CONCAT("%",#{item.value},"%")
			
 
				 				</foreach>
			
 
				 			</if>
			
 
				 		</where>
			
@@ -293,4 +293,4 @@
 
				 	</select>
			
 
				 
			
 
				 
			
 
				-</mapper>
			
 
				+</mapper>