SQL Injection: MyBatis Mapper(SQL注入：MyBatis Mapper)

amos-boot-module/amos-boot-module-api/amos-boot-module-common-api/src/main/resources/mapper/DutyPersonShiftMapper.xml

@@ -292,7 +292,7 @@ select * from (
 		group by cd.instance_id
 ) result 
 		<if test="groupByName != null and  groupByName!='' ">
-			group by #{groupByName}
+			group by ${groupByName}
 		</if>
 	</select>
 	
@@ -335,7 +335,7 @@ select * from (
 		group by cd.instance_id
 ) result 
 		<if test="groupByName != null and  groupByName!='' ">
-			group by #{groupByName}
+			group by ${groupByName}
 		</if>
 	</select>
 	

amos-boot-module/amos-boot-module-api/amos-boot-module-common-api/src/main/resources/mapper/OrgUsrMapper.xml

@@ -218,7 +218,7 @@
             <if test="map.fieldsValue != null">
                 <foreach collection="map.fieldsValue.keys" item="item">
                     <if test="item !=  'bizOrgName'">
-                        AND a.#{item} = #{map.fieldsValue[#{item}]}
+                        AND a.${item} = #{map.fieldsValue[#{item}]}
                     </if>
                 </foreach>
             </if>
@@ -251,7 +251,7 @@
         u.biz_org_code bizOrgCode,
         <if test="fields != null">
             <foreach collection="fields" item="item" separator=",">MAX(case f.field_code when #{item} then IFNULL(v.field_value_label, v.field_value)
-                end) #{item}
+                end) ${item}
             </foreach>
         </if>
         FROM

amos-boot-system-equip/src/main/resources/mapper/FormInstanceEquipMapper.xml

@@ -28,10 +28,10 @@
             <foreach collection="params" index="key" item="value" separator="">
                 <choose>
                     <when test="fieldNames[key] == 'like' and value !=null and value !=''">
-                        and d.${key} like concat('%',#{value},'%')
+                        and d.#{key} like concat('%',#{value},'%')
                     </when>
                     <when test="fieldNames[key] == 'eq' and value !=null and value !=''">
-                        and d.${key} = #{value}
+                        and d.#{key} = #{value}
                     </when>
                 </choose>
             </foreach>
@@ -80,10 +80,10 @@
             <foreach collection="params" index="key" item="value" separator="">
                 <choose>
                     <when test="fieldNames[key] == 'like' and value !=null and value !=''">
-                        AND d.${key} like concat('%',#{value},'%')
+                        AND d.#{key} like concat('%',#{value},'%')
                     </when>
                     <when test="fieldNames[key] == 'eq' and value !=null and value !=''">
-                        AND d.${key} = #{value}
+                        AND d.#{key} = #{value}
                     </when>
                 </choose>
 

amos-boot-system-knowledgebase/src/main/resources/mapper/KnowledgeDocContentMapper.xml

@@ -38,7 +38,7 @@
             and dc.USER_ID = #{userId}
         </if>
         <if test="orgCode != null and orgCode !=''">
-            and dc.ORG_CODE like '%#{orgCode}%'
+            and dc.ORG_CODE like CONCAT('%',#{orgCode},'%' )
         </if>
                 )
         UNION ALL
@@ -70,7 +70,7 @@
 		                and dc.USER_ID = #{userId}
         </if>
         <if test="orgCode != null and orgCode !=''">
-		                and dc.ORG_CODE like '%#{orgCode}%'
+		                and dc.ORG_CODE like CONCAT('%',#{orgCode},'%' )
         </if>
                 )
                 )d LIMIT #{offset},#{length}
@@ -84,7 +84,7 @@
           (SELECT kdc.CATEGORY_NAME FROM knowledge_doc_category kdc WHERE kdc.SEQUENCE_NBR = DIRECTORY_ID) directoryName,
           <if test="extraFields != null and extraFields.size > 0">
             <foreach collection="extraFields" item="_field" >
-                #{_field},
+                ${_field},
             </foreach>
           </if>
           IFNULL(collectNum, 0) collectNum, IFNULL(quoteNum, 0) quoteNum, IFNULL(collect, "UNCOLLECT") collect
@@ -157,7 +157,7 @@
                         ORG_CODE LIKE CONCAT(#{permissionFilters.orgCode}, "%")
                         AND AUDIT_STATUS IN
                         <foreach collection="permissionFilters.auditStatusList" item="auditStatus" open="(" close=")" separator=", ">
-                            #{auditStatus}
+                            ${auditStatus}
                         </foreach>
                         )
                     </if>
@@ -166,7 +166,7 @@
             </if>
             <if test="extraStrFilters != null and extraStrFilters.size > 0">
                 <foreach collection="extraStrFilters" item="str">
-                    AND #{str}
+                    AND ${str}
                 </foreach>
             </if>
         </where>

amos-boot-system-knowledgebase/src/main/resources/mapper/StatisticsRecordMapper.xml

@@ -343,7 +343,7 @@
 	<select id="tagChartStatistics" resultType="java.util.Map"
 		parameterType="java.util.Map">
 		SELECT
-		COUNT(1) AS datas,${splitSQL} AS level
+		COUNT(1) AS datas,#{splitSQL} AS level
 		FROM
 		knowledge_doc_content kdc
 		LEFT JOIN knowledge_tag_instance kti ON kti.TARGET_SEQ = kdc.SEQUENCE_NBR
@@ -384,7 +384,7 @@
 	<select id="tagTimeChartStatistics" resultType="java.util.Map"
 		parameterType="java.util.Map">
 		SELECT
-			COUNT(1) AS datas ,${splitSQL} AS level
+			COUNT(1) AS datas ,#{splitSQL} AS level
 		FROM
 			(
 			SELECT

amos-boot-system-patrol/src/main/resources/db/mapper/dbTemplate_check.xml

@@ -254,7 +254,7 @@
                 and  d.biz_org_code LIKE CONCAT(#{bizOrgCode},'%')
             </if>
         </trim>
-        order by #{orderBy}
+        order by ${orderBy}
         <choose>
             <when test="pageSize==-1"></when>
             <when test="pageSize!=-1">limit #{offset},#{pageSize}</when>
@@ -425,7 +425,7 @@
             <if test="isExecute!=null and isExecute!='' and isExecute == '3'">and a.is_OK != #{isExecute}</if>
         </trim>
         order by
-            #{orderBy}
+            ${orderBy}
         <choose>
             <when test="pageSize==-1"></when>
             <when test="pageSize!=-1">limit #{offset}, #{pageSize}</when>
@@ -476,7 +476,7 @@
                 and a.org_code LIKE CONCAT(#{bizOrgCode},'%')
             </if>
         </trim>
-        order by #{orderBy}
+        order by ${orderBy}
         <choose>
             <when test="pageSize==-1"></when>
             <when test="pageSize!=-1">limit #{offset},#{pageSize}</when>

amos-boot-system-patrol/src/main/resources/db/mapper/dbTemplate_plan_task.xml

@@ -102,7 +102,7 @@
 		order by b.id desc
 		<choose>
 	     <when test="pageSize==-1"></when>
-	     <when test="pageSize!=-1">limit #{offset},#{pageSize}</when>
+	     <when test="pageSize!=-1">limit ${offset},${pageSize}</when>
 	    </choose>
 	</select>
 
@@ -237,8 +237,8 @@
 
 			) a
 		<include refid="plan-task-app-where"/>
-		<if test="orderBy != null and orderBy != ''"> order by #{orderBy} </if>
-		limit #{offset},#{pageSize}
+		<if test="orderBy != null and orderBy != ''"> order by ${orderBy} </if>
+		limit ${offset},${pageSize}
 	</select>
 	<select id="getPlanTasksCount" resultType="long">
 		SELECT
@@ -555,7 +555,7 @@
 		order by a.id
 		<choose>
 	     <when test="pageSize==-1"></when>
-	     <when test="pageSize!=-1">limit #{offset},#{pageSize}</when>
+	     <when test="pageSize!=-1">limit ${offset},${pageSize}</when>
 	    </choose>
 	</select>
 
@@ -588,7 +588,7 @@
 		order by a.id
 		<choose>
 			<when test="pageSize==-1"></when>
-			<when test="pageSize!=-1">limit #{offset},#{pageSize}</when>
+			<when test="pageSize!=-1">limit ${offset},${pageSize}</when>
 		</choose>
 	</select>
 
@@ -1177,7 +1177,7 @@
 			ppk.begin_time DESC
 		<choose>
 			<when test="param.pageSize==-1"></when>
-			<when test="param.pageSize!=-1">limit #{param.pageNumber}, #{param.pageSize}</when>
+			<when test="param.pageSize!=-1">limit ${param.pageNumber}, ${param.pageSize}</when>
 		</choose>
 	</select>