SQL Injection: MyBatis Mapper(SQL注入：MyBatis Mapper)

5b10dbdf · litengwei · f2e7f330 · 5b10dbdf · 5b10dbdf · 5b10dbdf
Commit 5b10dbdf authored Mar 25, 2024 by litengwei
12 changed files
--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/ContingencyPlanInstanceMapper.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/ContingencyPlanInstanceMapper.xml
@@ -6,7 +6,7 @@
        UPDATE
             contingency_plan_instance
             SET
-              runstate = ${runStatus}
+              runstate = #{runStatus}
              <if test="content != null and content != ''">
                  , content = #{content}
              </if>
@@ -17,7 +17,7 @@
        UPDATE
        contingency_plan_instance
        SET
-        runstate = ${runStatus}
+        runstate = #{runStatus}
        <if test="content != null and content != ''">
            , content = #{content}
        </if>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/PlanMessage.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/PlanMessage.xml
@@ -18,7 +18,7 @@
                m.batch_no = #{batchNo}
            </if>
            <if test="stepIndex != null">
-                AND m.step_index = ${stepIndex}
+                AND m.step_index = #{stepIndex}
            </if>
        </where>
        ORDER BY
@@ -35,7 +35,7 @@
                m.batch_no = #{batchNo}
            </if>
            <if test="stepIndex != null">
-                AND m.step_index = ${stepIndex}
+                AND m.step_index = #{stepIndex}
            </if>
            <if test="indexUpdateTime != null">
                AND m.index_create_time = #{indexUpdateTime}

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/bizMessage.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/bizMessage.xml
@@ -13,19 +13,19 @@
 		WHERE
 		1=1
 		<if test="time!=null">
-			and TO_DAYS(m.time) = TO_DAYS('${time}')
+			and TO_DAYS(m.time) = TO_DAYS('#{time}')
 		</if>
 		<if test="type!=null">
-			AND m.type = '${type}'
+			AND m.type = '#{type}'
 		</if>
 		<if test="title!=null">
-			AND m.title LIKE '%${title}%'
+			AND m.title LIKE '%#{title}%'
 		</if>
 		<if test="orgCode!=null">
 			AND (
-			m.org_code = '${orgCode}'
+			m.org_code = '#{orgCode}'
-			OR m.org_code LIKE '${orgCode}*%'
+			OR m.org_code LIKE '#{orgCode}*%'
 			)
 		</if>
 	</select>
@@ -39,22 +39,22 @@
 		WHERE
 		1=1
 		<if test="time!=null">
-			and TO_DAYS(m.time) = TO_DAYS('${time}')
+			and TO_DAYS(m.time) = TO_DAYS('#{time}')
 		</if>
 		<if test="type!=null">
-			AND m.type = '${type}'
+			AND m.type = '#{type}'
 		</if>
 		<if test="title!=null">
-			AND m.title LIKE '%${title}%'
+			AND m.title LIKE '%#{title}%'
 		</if>
 		<if test="orgCode!=null">
 			AND (
-			m.org_code = '${orgCode}'
+			m.org_code = '#{orgCode}'
-			OR m.org_code LIKE '${orgCode}*%'
+			OR m.org_code LIKE '#{orgCode}*%'
 			)
 		</if>
-		LIMIT ${start},${length} ;
+		LIMIT #{start},#{length} ;
 	</select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fier_station.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fier_station.xml
@@ -19,7 +19,7 @@
 <!--		FROM-->
 <!--		    f_fire_station fs-->
 <!--		WHERE-->
-<!--		    fs.id = ${id}-->
+<!--		    fs.id = #{id}-->
 <!--	</select>-->
@@ -30,7 +30,7 @@
 <!--				f_fire_station_equipment fs-->
 <!--			JOIN f_fire_equipment f ON fs.fire_equipment_id = f.id-->
 <!--			WHERE-->
-<!--				fs.fire_station_id = ${fireStationId}-->
+<!--				fs.fire_station_id = #{fireStationId}-->
 <!--	</select>-->
 <!--	<select id="queryForFireEqumntPage" resultType="java.util.Map">-->
 <!--			SELECT-->
@@ -44,9 +44,9 @@
 <!--			left join f_fire_equipment f ON fs.fire_equipment_id = f.id-->
 <!--			left join f_risk_source frs on frs.id = f.risk_source_id-->
 <!--			WHERE-->
-<!--				fs.fire_station_id = ${fireStationId}-->
+<!--				fs.fire_station_id = #{fireStationId}-->
 <!--				and f.id is not null-->
-<!--			LIMIT ${start}, ${length};-->
+<!--			LIMIT #{start}, #{length};-->
 <!--	</select>-->
 <!--	<select id="queryCountForPage" resultType="long">-->
@@ -58,13 +58,13 @@
 <!--		WHERE-->
 <!--		1=1-->
 <!--		<if test="name!=null">-->
-<!--			AND (fs.name LIKE '%${name}%' or fs.`code` LIKE '%${name}%')-->
+<!--			AND (fs.name LIKE '%#{name}%' or fs.`code` LIKE '%#{name}%')-->
 <!--		</if>-->
 <!--		<if test="code!=null">-->
-<!--			AND fs.`code` LIKE '%${code}%'-->
+<!--			AND fs.`code` LIKE '%#{code}%'-->
 <!--		</if>-->
 <!--		<if test="type!=null">-->
-<!--			AND fs.`type` LIKE '%${type}%';-->
+<!--			AND fs.`type` LIKE '%#{type}%';-->
 <!--		</if>-->
 <!--	</select>-->
 <!--	<select id="queryForPage" resultType="java.util.Map">-->
@@ -85,15 +85,15 @@
 <!--		1=1-->
 <!--		<if test="name!=null">-->
-<!--			AND (fs.name LIKE '%${name}%' or fs.`code` LIKE '%${name}%')-->
+<!--			AND (fs.name LIKE '%#{name}%' or fs.`code` LIKE '%#{name}%')-->
 <!--		</if>-->
 <!--		<if test="code!=null">-->
-<!--			AND fs.`code` LIKE '%${code}%'-->
+<!--			AND fs.`code` LIKE '%#{code}%'-->
 <!--		</if>-->
 <!--		<if test="type!=null">-->
-<!--			AND fs.`type` LIKE '%${type}%'-->
+<!--			AND fs.`type` LIKE '%#{type}%'-->
 <!--		</if>-->
-<!--		LIMIT ${start},${length} ;-->
+<!--		LIMIT #{start},#{length} ;-->
 <!--	</select>-->
@@ -126,14 +126,14 @@
 		a.instance_id
 		) s
 		<if test="name!=null">
-			AND s.name LIKE '%${name}%'
+			AND s.name LIKE '%#{name}%'
 		</if>
 		<if test="code!=null">
-			AND s.`code` LIKE '%${code}%'
+			AND s.`code` LIKE '%#{code}%'
 		</if>
 		<if test="type!=null">
-			AND s.`type` LIKE '%${type}%';
+			AND s.`type` LIKE '%#{type}%';
 		</if>
 	</select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_equip.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_equip.xml
@@ -139,10 +139,10 @@
        ) d
        <where>
 	        <if test="fireEquipmentName!=null">
-	            AND d.fireEquipmentName LIKE '%${fireEquipmentName}%'
+	            AND d.fireEquipmentName LIKE '%#{fireEquipmentName}%'
 	        </if>
 	        <if test="equipmentName!=null">
-	            AND d.equipmentName LIKE '%${equipmentName}%'
+	            AND d.equipmentName LIKE '%#{equipmentName}%'
 	        </if>
            <if test="startTime != null and startTime != ''">
                AND d.update_date &gt;= #{startTime}
@@ -194,10 +194,10 @@
        ) d
      <where>
 	      <if test="fireEquipmentName!=null">
-	            AND d.fireEquipmentName LIKE '%${fireEquipmentName}%'
+	            AND d.fireEquipmentName LIKE '%#{fireEquipmentName}%'
 	        </if>
 	        <if test="equipmentName!=null">
-	            AND d.equipmentName LIKE '%${equipmentName}%'
+	            AND d.equipmentName LIKE '%#{equipmentName}%'
 	        </if>
            <if test="startTime != null and startTime != ''">
                AND d.create_date &gt;= #{startTime}
@@ -207,7 +207,7 @@
             </if>
      </where>
        ORDER BY d.create_date desc
-        LIMIT ${start},${length}
+        LIMIT #{start},#{length}
    </select>
@@ -218,14 +218,14 @@
 <!--        where-->
 <!--        1=1-->
 <!--        <if test="equipClassify!=null">-->
-<!--            and fe.equip_classify in ( ${equipClassify} )-->
+<!--            and fe.equip_classify in ( #{equipClassify} )-->
 <!--        </if>-->
 <!--        <if test="code!=null">-->
-<!--            and fe.`code` like '%${code}%'-->
+<!--            and fe.`code` like '%#{code}%'-->
 <!--        </if>-->
 <!--        <if test="name!=null">-->
-<!--            and (fe.`name` like '%${name}%' or fe.`code` like '%${name}%')-->
+<!--            and (fe.`name` like '%#{name}%' or fe.`code` like '%#{name}%')-->
 <!--        </if>-->
 <!--        &lt;!&ndash; 筛选未绑定的配套设施-->
 <!--         &ndash;&gt;-->
@@ -258,14 +258,14 @@
 <!--				where 1=1) tmp-->
 <!--        <where>-->
 <!--        <if test="equipClassify!=null">-->
-<!--            and tmp.equip_classify in ( ${equipClassify} )-->
+<!--            and tmp.equip_classify in ( #{equipClassify} )-->
 <!--        </if>-->
 <!--        <if test="code!=null">-->
-<!--            and tmp.`code` like '%${code}%'-->
+<!--            and tmp.`code` like '%#{code}%'-->
 <!--        </if>-->
 <!--        <if test="name!=null">-->
-<!--            and (tmp.`name` like '%${name}%' or tmp.`code` like '%${name}%')-->
+<!--            and (tmp.`name` like '%#{name}%' or tmp.`code` like '%#{name}%')-->
 <!--        </if>-->
 <!--        &lt;!&ndash; 筛选未绑定的配套设施-->
 <!--         &ndash;&gt;-->
@@ -273,7 +273,7 @@
 <!--        	AND tmp.bindStation is not true-->
 <!--        </if>-->
 <!--        </where>-->
-<!--        LIMIT ${start},${length}-->
+<!--        LIMIT #{start},#{length}-->
 <!--    </select>-->
@@ -291,7 +291,7 @@
 <!--				FROM-->
 <!--					f_fire_station_equipment se-->
 <!--				WHERE-->
-<!--					se.fire_station_id = ${fireStationId}-->
+<!--					se.fire_station_id = #{fireStationId}-->
 <!--				AND se.fire_equipment_id = fe.id-->
 <!--			)-->
 <!--	</select>-->
@@ -507,12 +507,12 @@
        f_equipment_fire_equipment efe
        JOIN f_fire_equipment fe ON efe.fire_equipment_id = fe.id
        WHERE
-        efe.equipment_id = ${equipmentId}
+        efe.equipment_id = #{equipmentId}
        <if test="fname != null">
-            AND fe.`name` like '%${fname}%'
+            AND fe.`name` like '%#{fname}%'
        </if>
        <if test="length > 0">
-            LIMIT ${start},${length} ;
+            LIMIT #{start},#{length} ;
        </if>
    </select>
@@ -525,9 +525,9 @@
        f_equipment_fire_equipment efe
        JOIN wl_equipment_specific fe ON efe.fire_equipment_id = fe.id
        WHERE
-        efe.equipment_id = ${equipmentId}
+        efe.equipment_id = #{equipmentId}
        <if test="fname != null">
-            AND fe.`name` like '%${fname}%'
+            AND fe.`name` like '%#{fname}%'
        </if>
    </select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_rectification.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_rectification.xml
@@ -124,7 +124,7 @@
                 from
                 elec_bills_fire_safety_control
                where BILL_SEQ = (select SEQUENCE_NBR from elec_bills_basic_info where BILL_NO=#{billNo})
-                and type =${id}
+                and type =#{id}
    </select>
    <update id="updateBill">
         UPDATE

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fmea.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fmea.xml
@@ -90,7 +90,7 @@
 		FROM
 			f_fmea f
 		WHERE
-			f.risk_source_id = ${riskSourceId};
+			f.risk_source_id = #{riskSourceId};
 	</select>
 	<select id="getById" resultType="com.yeejoin.amos.fas.dao.entity.Fmea">

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_impAndfire_equip.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_impAndfire_equip.xml
@@ -14,11 +14,11 @@
 		WHERE
 		1=1
 		<if test="fireEquipmentId != null">
-			 and t.fire_equipment_id = ${fireEquipmentId}
+			 and t.fire_equipment_id = #{fireEquipmentId}
 		</if>
 			<if test="equipmentId != null">
-				AND t.equipment_id = ${equipmentId};
+				AND t.equipment_id = #{equipmentId};
 	</if>
 	</select>
@@ -29,8 +29,8 @@
 		FROM
 		f_equipment_fire_equipment t
 		WHERE
-		t.fire_equipment_id = ${fireEquipmentId}
+		t.fire_equipment_id = #{fireEquipmentId}
-		AND t.equipment_id = ${equipmentId};
+		AND t.equipment_id = #{equipmentId};
 	</select>
@@ -46,7 +46,7 @@
 				FROM
 					f_equipment_fire_equipment efe
 				WHERE
-					efe.fire_equipment_id = ${fireEquipmentId}
+					efe.fire_equipment_id = #{fireEquipmentId}
 			)
 			LIMIT 0,1 ;
 	</select>
@@ -81,11 +81,11 @@
 				FROM
 					f_equipment_fire_equipment efe
 				WHERE
-					efe.equipment_id = ${equipmentId}
+					efe.equipment_id = #{equipmentId}
 				AND efe.fire_equipment_id = fe.id
 	)
 	<if test="start != -1 and length != -1">
-	   LIMIT ${start},${length} ;
+	   LIMIT #{start},#{length} ;
    </if>
 	</select> 
@@ -102,7 +102,7 @@
 				FROM
 					f_equipment_fire_equipment efe
 				WHERE
-					efe.equipment_id = ${equipmentId}
+					efe.equipment_id = #{equipmentId}
 				AND efe.fire_equipment_id = fe.id
 	)
 	</select>-->
@@ -121,7 +121,7 @@
 			FROM
 				f_equipment_fire_equipment efe
 			WHERE
-				efe.equipment_id =${equipmentId}
+				efe.equipment_id =#{equipmentId}
 				and f.id = efe.fire_equipment_id
 		)
 	</select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_impt_equip.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_impt_equip.xml
@@ -22,7 +22,7 @@
                FROM
                    f_equipment_fire_equipment efe
                WHERE
-                    efe.fire_equipment_id = ${fireEquipmentId}
+                    efe.fire_equipment_id = #{fireEquipmentId}
                AND efe.equipment_id = fe.id
            )
    </select>
@@ -76,7 +76,7 @@
 		ORDER BY
 			a.id
 		<if test="start != -1 and length != -1">
-			LIMIT ${start},${length} ;
+			LIMIT #{start},#{length} ;
 		</if>
 	</select>
@@ -103,6 +103,6 @@
 		FROM
 			f_equipment
 		WHERE
-			id = ${id}
+			id = #{id}
 	</select>
 </mapper>
\ No newline at end of file
--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_preplanpicture.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_preplanpicture.xml
@@ -10,6 +10,6 @@
 	FROM
 		f_preplan_picture p
 	WHERE
-		p.equipment_id = ${equipmentId}
+		p.equipment_id = #{equipmentId}
 	</select>
 </mapper>
\ No newline at end of file
--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_risk_source.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_risk_source.xml
@@ -99,7 +99,7 @@
 			f_rpn_change_log cl
 		WHERE
 			cl.type = 0
-			and cl.create_date  BETWEEN '${startTime}'  and  '${endTime}'
+			and cl.create_date  BETWEEN '#{startTime}'  and  '#{endTime}'
 		)d
 	</select>
@@ -362,7 +362,7 @@
 <!--				FROM-->
 <!--					f_risk_source_equipment se-->
 <!--				WHERE-->
-<!--					se.fire_equipment_id = ${fireEquipmentId}-->
+<!--					se.fire_equipment_id = #{fireEquipmentId}-->
 <!--				AND se.risk_source_id = rs.id-->
 <!--			)-->
 <!--	</select>-->
@@ -380,7 +380,7 @@
 <!--				FROM-->
 <!--					f_risk_source_point_inputitem pi-->
 <!--				WHERE-->
-<!--					pi.point_id = ${pointId}-->
+<!--					pi.point_id = #{pointId}-->
 <!--				AND rs.id = pi.risk_source_id-->
 <!--			)-->
 <!--	</select>-->
@@ -526,7 +526,7 @@
 		FROM
 			f_risk_source rs
 		WHERE
-			rs.id = ${riskSourceId};
+			rs.id = #{riskSourceId};
 	</select>
 	<select id="queryForRiskSourceRpni" resultType="map">
@@ -535,7 +535,7 @@
 		FROM
 			f_risk_source rs
 		WHERE
-			rs.parent_id = ${parentId};
+			rs.parent_id = #{parentId};
 	</select>
 	<select id="queryForUnqualified" resultType="map">
@@ -638,7 +638,7 @@
 					f_fmea ff
 				JOIN f_risk_factor rf ON ff.risk_factors_id = rf.id
 				WHERE
-					rf.id = ${factorId}
+					rf.id = #{factorId}
 			)
 	</select>
 <!--	<select id="queryContingencyWater"  resultType="com.yeejoin.amos.fas.business.vo.FormInstanceVo">-->
@@ -734,8 +734,8 @@
 			INNER JOIN p_point_inputitem ppi ON ppi.ID = ffpi.point_inputitem_id) ffpi
 			ON ffpi.fmea_id = ff.id
 		WHERE
-			ffpi.point_id = ${pointId}
+			ffpi.point_id = #{pointId}
-# 			EXISTS ( SELECT 1 FROM f_risk_source_point_inputitem frspi WHERE frspi.risk_source_id = frs.id AND frspi.point_id = ${pointId} )
+# 			EXISTS ( SELECT 1 FROM f_risk_source_point_inputitem frspi WHERE frspi.risk_source_id = frs.id AND frspi.point_id = #{pointId} )
 # 			EXISTS ( SELECT
 # 						 1
 # 					 FROM
@@ -744,7 +744,7 @@
 # 							 LEFT JOIN p_point_inputitem ppi on ppi.id = fpi.point_inputitem_id
 # 					 WHERE
 # 						 f.risk_source_id = frs.id
-# 					   AND ppi.point_id = ${pointId}
+# 					   AND ppi.point_id = #{pointId}
 # 			    )
 	</select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_view3d.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_view3d.xml
@@ -612,8 +612,8 @@
 			  <where>
 				<if test="inputText!=null and inputText != ''">
 					(
-					tmp.code LIKE '%${inputText}%'
+					tmp.code LIKE '%#{inputText}%'
-					OR tmp.name LIKE '%${inputText}%'
+					OR tmp.name LIKE '%#{inputText}%'
 					)
 				</if>
 				<if test="type!=null and type!=''">
@@ -1070,8 +1070,8 @@
        <where>
            <if test="inputText!=null and inputText != ''">
                AND (
-                tmp.code LIKE '%${inputText}%'
+                tmp.code LIKE '%#{inputText}%'
-                OR tmp.name LIKE '%${inputText}%'
+                OR tmp.name LIKE '%#{inputText}%'
                )
            </if>
            <if test="type!=null and type!=''">
@@ -1081,7 +1081,7 @@
                AND tmp.riskSourceId = #{riskSourceId}
            </if>
        </where>
-        LIMIT ${start},${length}
+        LIMIT #{start},#{length}
    </select>
    <select id="retrieve3AllCount" resultType="long">
        SELECT count(1) FROM (
@@ -1277,8 +1277,8 @@
        <where>
            <if test="inputText!=null and inputText != ''">
                AND (
-                tmp.code LIKE '%${inputText}%'
+                tmp.code LIKE '%#{inputText}%'
-                OR tmp.name LIKE '%${inputText}%'
+                OR tmp.name LIKE '%#{inputText}%'
                )
            </if>
            <if test="type!=null and type!=''">
@@ -1486,8 +1486,8 @@
        <where>
            <if test="inputText!=null and inputText != ''">
                AND (
-                tmp.code LIKE '%${inputText}%'
+                tmp.code LIKE '%#{inputText}%'
-                OR tmp.name LIKE '%${inputText}%'
+                OR tmp.name LIKE '%#{inputText}%'
                )
            </if>
            <if test="type!=null and type!=''">
@@ -1500,7 +1500,7 @@
                AND (tmp.orgCode = #{orgCode} OR tmp.orgCode like CONCAT(#{orgCode},'-%') )
            </if>
        </where>
-        LIMIT ${start},${length}
+        LIMIT #{start},#{length}
    </select>
    <select id="getPlanAlarmInfo" resultType="com.yeejoin.amos.fas.business.bo.FirePlanAlarmBo">
   		SELECT