Commit b4aa5d16 authored by 王飞's avatar 王飞

Merge branch 'wangfei' into 'dev'

Wangfei

See merge request !141
parents 3ba8ba44 d57d1e54
......@@ -89,16 +89,16 @@
</appender>
<!-- 系统模块日志级别控制 -->
<logger name="com.ruoyi" level="debug" />
<logger name="com.ruoyi" level="INFO" />
<!-- Spring日志级别控制 -->
<logger name="org.springframework" level="warn" />
<root level="debug">
<root level="INFO">
<appender-ref ref="console" />
</root>
<!--系统操作日志-->
<root level="debug">
<root level="INFO">
<appender-ref ref="file_info" />
<appender-ref ref="file_error" />
<appender-ref ref="console"/>
......@@ -106,7 +106,7 @@
</root>
<!--系统用户操作日志-->
<logger name="sys-user" level="debug">
<logger name="sys-user" level="INFO">
<appender-ref ref="sys-user"/>
<appender-ref ref="console" />
</logger>
......
......@@ -26,6 +26,9 @@ public class MybatisPlusConfig
interceptor.addInnerInterceptor(optimisticLockerInnerInterceptor());
// 阻断插件
interceptor.addInnerInterceptor(blockAttackInnerInterceptor());
// %转意
interceptor.addInnerInterceptor(percentEscapeInterceptor());
return interceptor;
}
......@@ -57,4 +60,14 @@ public class MybatisPlusConfig
{
return new BlockAttackInnerInterceptor();
}
/**
* %转意
* @return
*/
public PercentEscapeInterceptor percentEscapeInterceptor() {
return new PercentEscapeInterceptor();
}
}
\ No newline at end of file
package com.ruoyi.framework.config;
import com.baomidou.mybatisplus.extension.plugins.inner.InnerInterceptor;
import com.ruoyi.common.utils.StringUtils;
import org.apache.ibatis.executor.Executor;
import org.apache.ibatis.mapping.BoundSql;
import org.apache.ibatis.mapping.MappedStatement;
import org.apache.ibatis.reflection.MetaObject;
import org.apache.ibatis.session.ResultHandler;
import org.apache.ibatis.session.RowBounds;
import java.sql.SQLException;
import java.util.HashSet;
import java.util.Set;
public class PercentEscapeInterceptor implements InnerInterceptor {
@Override
public void beforeQuery(Executor executor, MappedStatement ms, Object parameter, RowBounds rowBounds, ResultHandler resultHandler, BoundSql boundSql) throws SQLException {
String sql = boundSql.getSql().toLowerCase();
// 判断是否包含 参数 及 like 查询
if (!sql.contains(" like ") || !sql.contains("?")) {
return;
}
// 获取关键字的个数(去重),获取 到 like 查询 的 key
String[] strList = sql.split("\\?");
Set<String> keyNames = new HashSet<>();
for (int i = 0; i < strList.length; i++) {
if (strList[i].toLowerCase().contains(" like ")) {
String keyName = boundSql.getParameterMappings().get(i).getProperty();
keyNames.add(keyName);
}
}
MetaObject metaObject = ms.getConfiguration().newMetaObject(parameter);
for (String keyName : keyNames) {
Object value = metaObject.getValue(keyName);
if (value instanceof String) {
if (isconvert((String) value)) {
metaObject.setValue(keyName, convert((String) value));
}
}
}
}
private String convert(String before) {
if (StringUtils.isNotBlank(before)) {
before = before.replaceAll("\\\\", "");
before = before.replaceAll("_", "\\\\_");
before = before.replaceAll("%", "\\\\%");
}
return before;
}
private boolean isconvert(String str) {
return str.contains("\\") || str.contains("_") || str.contains("%");
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment