sql 注入问题

[s-chance]

UserMapper.xml

<select id="exportUser" resultType="org.springblade.system.excel.UserExcel">
        SELECT id, tenant_id, account, name, real_name, email, phone, birthday, role_id, dept_id, post_id FROM blade_user ${ew.customSqlSegment}
</select>

这段sql中使用 ${} 的方式拼接，是否存在 sql 注入问题？

过去有 issue 已提到过此问题，不过目前未做回复。想了解一下是否已经有其他措施针对此问题进行了处理？

[s-chance]

https://gitee.com/smallc/SpringBlade/issues/IA6MBI?from=project-issue 已找到回复

[s-chance]

不过，为了保险起见以及统一编码，是否将 ${} 替换为 #{} 比较好？

[cx-suman-roy]

is there a fix commit for this SQL injection?

[s-chance]

is there a fix commit for this SQL injection?

see this document.

It seems to use a custom SQL injection filtering class(SqlKeyword.java) to prevent SQL injection.

If you use code like

QueryWrapper<User> queryWrapper = org.springblade.core.mp.support.Condition.getQueryWrapper(user, User.class);

It will call the SqlKeyword.buildCondition(query, qw); to filter out some suspicious keywords.

Source code snippet of the org.springblade.core.mp.support.Condition.java

public static <T> QueryWrapper<T> getQueryWrapper(Map<String, Object> query, Map<String, Object> exclude, Class<T> clazz) {
	exclude.forEach((k, v) -> query.remove(k));
	QueryWrapper<T> qw = new QueryWrapper<>();
	qw.setEntity(BeanUtil.newInstance(clazz));
	SqlKeyword.buildCondition(query, qw);
	return qw;
}