diff --git a/APIJSON.NET/APIJSONCommon/Properties/AssemblyInfo.cs b/APIJSON.NET/APIJSONCommon/Properties/AssemblyInfo.cs
index b890e44..12c27cf 100644
--- a/APIJSON.NET/APIJSONCommon/Properties/AssemblyInfo.cs
+++ b/APIJSON.NET/APIJSONCommon/Properties/AssemblyInfo.cs
@@ -6,7 +6,7 @@
// 控制。更改这些特性值可修改
// 与程序集关联的信息。
[assembly: AssemblyTitle("ApiJson.Common")]
-[assembly: AssemblyDescription("单表查询的返回节点指定为Infos")]
+[assembly: AssemblyDescription("增加ToSql接口,处理sql注入的情况")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("ApiJson.Common")]
@@ -32,5 +32,5 @@
//可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
//通过使用 "*",如下所示:
// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("0.0.4.0")]
-[assembly: AssemblyFileVersion("0.0.4.0")]
+[assembly: AssemblyVersion("0.0.6.0")]
+[assembly: AssemblyFileVersion("0.0.6.0")]
diff --git a/APIJSON.NET/APIJSONCommon/SelectTable.cs b/APIJSON.NET/APIJSONCommon/SelectTable.cs
index 4e76118..de56221 100644
--- a/APIJSON.NET/APIJSONCommon/SelectTable.cs
+++ b/APIJSON.NET/APIJSONCommon/SelectTable.cs
@@ -66,6 +66,19 @@ public object ExecFunc(string funcname, object[] param, Type[] types)
return result;
}
+ private string ToSql(string subtable, int page, int count, int query, string json)
+ {
+ JObject values = JObject.Parse(json);
+ page = values["page"] == null ? page : int.Parse(values["page"].ToString());
+ count = values["count"] == null ? count : int.Parse(values["count"].ToString());
+ query = values["query"] == null ? query : int.Parse(values["query"].ToString());
+ values.Remove("page");
+ values.Remove("count");
+ subtable = _tableMapper.GetTableName(subtable);
+ var tb = sugarQueryable(subtable, "*", values,null);
+ var xx= tb.Skip((page - 1) * count).Take(10).ToSql();
+ return xx.Key;
+ }
///
///
///
@@ -187,8 +200,9 @@ public JObject Query(string queryJson)
/// 单表查询
///
///
+ /// 返回数据的节点名称 默认为 infos
///
- public JObject QuerySingle(JObject queryObj)
+ public JObject QuerySingle(JObject queryObj, string nodeName = "infos")
{
JObject resultObj = new JObject();
resultObj.Add("code", "200");
@@ -202,7 +216,7 @@ public JObject QuerySingle(JObject queryObj)
if (key.EndsWith("[]"))
{
- total = QuerySingleList(resultObj, item, "Infos");
+ total = QuerySingleList(resultObj, item, nodeName);
}
else if (key.Equals("func"))
{
@@ -222,6 +236,25 @@ public JObject QuerySingle(JObject queryObj)
return resultObj;
}
+ ///
+ /// 获取查询语句
+ ///
+ ///
+ ///
+ public string ToSql(JObject queryObj)
+ {
+ foreach (var item in queryObj)
+ {
+ string key = item.Key.Trim();
+
+ if (key.EndsWith("[]"))
+ {
+ return ToSql(item);
+ }
+ }
+ return string.Empty;
+ }
+
///
/// 解析并查询
///
@@ -284,6 +317,7 @@ private int QuerySingleList(JObject resultObj, KeyValuePair item
int total = 0;
jb.Remove("page"); jb.Remove("count"); jb.Remove("query");
+
var htt = new JArray();
foreach (var t in jb)
{
@@ -307,6 +341,23 @@ private int QuerySingleList(JObject resultObj, KeyValuePair item
return total;
}
+ private string ToSql(KeyValuePair item)
+ {
+ string key = item.Key.Trim();
+ var jb = JObject.Parse(item.Value.ToString());
+ int page = jb["page"] == null ? 0 : int.Parse(jb["page"].ToString());
+ int count = jb["count"] == null ? 10 : int.Parse(jb["count"].ToString());
+ int query = jb["query"] == null ? 0 : int.Parse(jb["query"].ToString());
+
+ jb.Remove("page"); jb.Remove("count"); jb.Remove("query");
+ var htt = new JArray();
+ foreach (var t in jb)
+ {
+ return ToSql(t.Key, page, count, query, t.Value.ToString());
+ }
+
+ return string.Empty;
+ }
//单表查询
private int QuerySingleList(JObject resultObj, KeyValuePair item)
{
@@ -495,7 +546,13 @@ private void ProcessColumn(string subtable, string selectrole, JObject values, I
if (colName == "*" || int.TryParse(colName, out int colNumber) || (IsCol(subtable, colName) && _identitySvc.ColIsRole(colName, selectrole.Split(','))))
{
if (ziduan.Length > 1)
- str.Append(ziduan[0] + " as " + ziduan[1] + ",");
+ {
+ if (ziduan[1].Length > 20)
+ {
+ throw new Exception("别名不能超过20个字符");
+ }
+ str.Append(ziduan[0] + " as " + ReplaceSQLChar(ziduan[1]) + ",");
+ }
else
str.Append(ziduan[0] + ",");
@@ -744,5 +801,40 @@ private void FuzzyQuery(string subtable, List conModels, KeyV
conModels.Add(new ConditionalModel() { FieldName = vakey.TrimEnd('$'), ConditionalType = conditionalType, FieldValue = fieldValue.TrimEnd("%".ToArray()).TrimStart("%".ToArray()) });
}
}
+
+ public string ReplaceSQLChar(string str)
+ {
+ if (str == String.Empty)
+ return String.Empty;
+ str = str.Replace("'", "");
+ str = str.Replace(";", "");
+ str = str.Replace(",", "");
+ str = str.Replace("?", "");
+ str = str.Replace("<", "");
+ str = str.Replace(">", "");
+ str = str.Replace("(", "");
+ str = str.Replace(")", "");
+ str = str.Replace("@", "");
+ str = str.Replace("=", "");
+ str = str.Replace("+", "");
+ str = str.Replace("*", "");
+ str = str.Replace("&", "");
+ str = str.Replace("#", "");
+ str = str.Replace("%", "");
+ str = str.Replace("$", "");
+ str = str.Replace("\"", "");
+
+ //删除与数据库相关的词
+ str = Regex.Replace(str, "delete from", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "drop table", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "xp_cmdshell", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "exec master", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "net localgroup administrators", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "net user", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "-", "", RegexOptions.IgnoreCase);
+ str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
+ return str;
+ }
}
}