SQL Injection: MyBatis Mapper(SQL注入：MyBatis Mapper)

d948c7fd · litengwei · 4bde105b · d948c7fd · d948c7fd · d948c7fd
Commit d948c7fd authored Mar 25, 2024 by litengwei
5 changed files
--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/bizMessage.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/bizMessage.xml
@@ -13,19 +13,19 @@
 		WHERE
 		1=1
 		<if test="time!=null">
-			and TO_DAYS(m.time) = TO_DAYS('#{time}')
+			and TO_DAYS(m.time) = TO_DAYS(#{time})
 		</if>

 		<if test="type!=null">
-			AND m.type = '#{type}'
+			AND m.type = #{type}
 		</if>
 		<if test="title!=null">
-			AND m.title LIKE '%#{title}%'
+			AND m.title LIKE CONCAT('%',#{title},'%')
 		</if>
 		<if test="orgCode!=null">
 			AND (
-			m.org_code = '#{orgCode}'
-			OR m.org_code LIKE '#{orgCode}*%'
+			m.org_code = #{orgCode}
+			OR m.org_code LIKE CONCAT('%',#{orgCode},'*%')
 			)
 		</if>
 	</select>
@@ -43,15 +43,15 @@
 		</if>

 		<if test="type!=null">
-			AND m.type = '#{type}'
+			AND m.type = #{type}
 		</if>
 		<if test="title!=null">
-			AND m.title LIKE '%#{title}%'
+			AND m.title LIKE CONCAT('%',#{title},'%')
 		</if>
 		<if test="orgCode!=null">
 			AND (
-			m.org_code = '#{orgCode}'
-			OR m.org_code LIKE '#{orgCode}*%'
+			m.org_code = #{orgCode}
+			OR m.org_code LIKE CONCAT('%',#{orgCode},'%')
 			)
 		</if>
 		LIMIT #{start},#{length} ;

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fier_station.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fier_station.xml
@@ -126,14 +126,14 @@
 		a.instance_id
 		) s
 		<if test="name!=null">
-			AND s.name LIKE '%#{name}%'
+			AND s.name LIKE CONCAT('%',#{name},'%')
 		</if>
 		<if test="code!=null">
-			AND s.`code` LIKE '%#{code}%'
+			AND s.`code` LIKE  CONCAT('%',#{code},'%')
 		</if>

 		<if test="type!=null">
-			AND s.`type` LIKE '%#{type}%';
+			AND s.`type` LIKE CONCAT('%',#{type},'%');
 		</if>

 	</select>

--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_equip.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_fire_equip.xml
@@ -139,10 +139,10 @@
        ) d
        <where>
 	        <if test="fireEquipmentName!=null">
-	            AND d.fireEquipmentName LIKE '%#{fireEquipmentName}%'
+	            AND d.fireEquipmentName LIKE CONCAT('%',#{fireEquipmentName},'%')
 	        </if>
 	        <if test="equipmentName!=null">
-	            AND d.equipmentName LIKE '%#{equipmentName}%'
+	            AND d.equipmentName LIKE CONCAT('%',#{equipmentName},'%')
 	        </if>
            <if test="startTime != null and startTime != ''">
                AND d.update_date &gt;= #{startTime}
@@ -194,10 +194,10 @@
        ) d
      <where>
 	      <if test="fireEquipmentName!=null">
-	            AND d.fireEquipmentName LIKE '%#{fireEquipmentName}%'
+	            AND d.fireEquipmentName LIKE CONCAT('%',#{fireEquipmentName},'%')
 	        </if>
 	        <if test="equipmentName!=null">
-	            AND d.equipmentName LIKE '%#{equipmentName}%'
+	            AND d.equipmentName LIKE CONCAT('%',#{equipmentName},'%')
 	        </if>
            <if test="startTime != null and startTime != ''">
                AND d.create_date &gt;= #{startTime}
@@ -509,7 +509,7 @@
        WHERE
        efe.equipment_id = #{equipmentId}
        <if test="fname != null">
-            AND fe.`name` like '%#{fname}%'
+            AND fe.`name` like  CONCAT('%',#{fname},'%')
        </if>
        <if test="length > 0">
            LIMIT #{start},#{length} ;
@@ -527,7 +527,7 @@
        WHERE
        efe.equipment_id = #{equipmentId}
        <if test="fname != null">
-            AND fe.`name` like '%#{fname}%'
+            AND fe.`name` like CONCAT('%',#{fname},'%')
        </if>
    </select>


--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_risk_source.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_risk_source.xml
@@ -99,7 +99,7 @@
 			f_rpn_change_log cl
 		WHERE
 			cl.type = 0
-			and cl.create_date  BETWEEN '#{startTime}'  and  '#{endTime}'
+			and cl.create_date  BETWEEN #{startTime}  and  #{endTime}
 		)d
 	</select>


--- a/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_view3d.xml
+++ b/YeeAmosFireAutoSysStart/src/main/resources/db/mapper/dbTemplate_view3d.xml
@@ -1070,8 +1070,8 @@
        <where>
            <if test="inputText!=null and inputText != ''">
                AND (
-                tmp.code LIKE '%#{inputText}%'
-                OR tmp.name LIKE '%#{inputText}%'
+                tmp.code LIKE CONCAT('%',#{inputText},'%')
+                OR tmp.name LIKE CONCAT('%',#{inputText},'%')
                )
            </if>
            <if test="type!=null and type!=''">
@@ -1277,8 +1277,8 @@
        <where>
            <if test="inputText!=null and inputText != ''">
                AND (
-                tmp.code LIKE '%#{inputText}%'
-                OR tmp.name LIKE '%#{inputText}%'
+                tmp.code LIKE CONCAT('%',#{inputText},'%')
+                OR tmp.name LIKE CONCAT('%',#{inputText},'%')
                )
            </if>
            <if test="type!=null and type!=''">