Server防SQL注入：编译模式下禁用key{}:"conditions"和@having:"conditions"

TommyLemon · TommyLemon · commit 75227ad57aea · 2018-05-13T02:10:07.000+08:00
diff --git a/APIJSON-Java-Server/APIJSONDemo/src/main/java/apijson/demo/server/DemoSQLExecutor.java b/APIJSON-Java-Server/APIJSONDemo/src/main/java/apijson/demo/server/DemoSQLExecutor.java
@@ -73,30 +73,14 @@ private PreparedStatement getStatement(@NotNull SQLConfig config) throws Excepti
 					+ config.getDBAccount() + "&password=" + config.getDBPassword());
 		}
 		
-//		statement = connection.prepareStatement("SELECT ?,? FROM sys.apijson_user WHERE sex=? AND id IN (?,?,?)"); //创建Statement对象
-////		Object[] values = config.getWhere().values().toArray();
-////		if (values != null && values.length > 0) {
-////			for (int i = 0; i < values.length; i++) {
-////				statement.setObject(i + 1, values[i]);
-////			}
-////		}
-//
-//		statement.setObject(1, "id");
-//		statement.setObject(2, "name");
-//		statement.setObject(3, 0);
-//		statement.setObject(4, 82001);
-//		statement.setObject(5, 82002);
-//		statement.setObject(6, 38710);
-
-		statement = connection.prepareStatement(config.getSQL(true)); //创建Statement对象
-		List<Object> valueList = config.getPreparedValues();
+		statement = connection.prepareStatement(config.getSQL(config.isPrepared())); //创建Statement对象
+		List<Object> valueList = config.isPrepared() ? config.getPreparedValueList() : null;
 		if (valueList != null && valueList.isEmpty() == false) {
 			for (int i = 0; i < valueList.size(); i++) {
 				statement.setString(i + 1, "" + valueList.get(i));
 			}
 		}
 
-
 		return statement;
 	}
 
diff --git a/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractParser.java b/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractParser.java
@@ -515,6 +515,7 @@ public JSONObject parseCorrectResponse(String table, JSONObject response) throws
 	public JSONObject getStructure(@NotNull String table, String key, String value, int version) throws Exception  {
 		//获取指定的JSON结构 <<<<<<<<<<<<<<
 		SQLConfig config = createSQLConfig().setMethod(GET).setTable(table);
+		config.setPrepared(false);
 		config.setColumn("structure");
 
 		Map<String, Object> where = new HashMap<String, Object>();
diff --git a/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractSQLConfig.java b/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractSQLConfig.java
@@ -79,7 +79,7 @@ public abstract class AbstractSQLConfig implements SQLConfig {
 
 	private long id; //Table的id
 	private RequestMethod method; //操作方法
-	private boolean prepared; //预编译
+	private boolean prepared = true; //预编译
 	/**
 	 * TODO 被关联的表通过就忽略关联的表？(这个不行 User:{"sex@":"/Comment/toId"})
 	 */
@@ -132,11 +132,14 @@ public AbstractSQLConfig setMethod(RequestMethod method) {
 		this.method = method;
 		return this;
 	}
+	@Override
 	public boolean isPrepared() {
 		return prepared;
 	}
-	public void setPrepared(boolean prepared) {
+	@Override
+	public AbstractSQLConfig setPrepared(boolean prepared) {
 		this.prepared = prepared;
+		return this;
 	}
 
 
@@ -248,7 +251,13 @@ public AbstractSQLConfig setHaving(String having) {
 	@JSONField(serialize = false)
 	public String getHavingString() {
 		having = StringUtil.getTrimedString(having);
-		return having.isEmpty() ? "" : " HAVING " + having;
+		if(having.isEmpty()) {
+			return ""; 
+		}
+		if (isPrepared()) {
+			throw new UnsupportedOperationException("预编译模式下不允许传 @having:\"condition\" !");
+		}
+		return " HAVING " + having;
 	}
 
 	@Override
@@ -646,7 +655,7 @@ private Object getValue(@NotNull Object value) {
 		return "'" + value + "'";
 	}
 	@Override
-	public List<Object> getPreparedValues() {
+	public List<Object> getPreparedValueList() {
 		return preparedValues;
 	}
 
@@ -797,6 +806,11 @@ public String getRangeString(String key, Object range) throws Exception {
 			if (condition.isEmpty()) {
 				return "";
 			}
+			
+			if (isPrepared()) {
+				throw new UnsupportedOperationException("预编译模式下不允许传 key{}:\"condition\" !");
+			}
+			
 			return getCondition(logic.isNot(), condition);
 		}
 
@@ -999,8 +1013,7 @@ public static String getRemoveString(String key, Object value) throws IllegalArg
 	@JSONField(serialize = false)
 	@Override
 	public String getSQL(boolean prepared) throws Exception {
-		setPrepared(prepared);
-		return getSQL(this);
+		return getSQL(this.setPrepared(prepared));
 	}
 	/**
 	 * @param config
diff --git a/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractSQLExecutor.java b/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/AbstractSQLExecutor.java
@@ -113,10 +113,18 @@ public void close() {
 	 */
 	@Override
 	public JSONObject execute(SQLConfig config) throws Exception {
-
-		final String sql = config == null ? null : config.getSQL(false);
+		if (config == null) {
+			Log.e(TAG, "select  config==null >> return null;");
+			return null;
+		}
+		boolean prepared = config.isPrepared();
+		
+		final String sql = config.getSQL(false);
+		
+		config.setPrepared(prepared);
+		
 		if (StringUtil.isNotEmpty(sql, true) == false) {
-			Log.e(TAG, "select  config==null||StringUtil.isNotEmpty(config.getSQLTable(), true)==false>>return null;");
+			Log.e(TAG, "select  StringUtil.isNotEmpty(sql, true) == false >> return null;");
 			return null;
 		}
 		JSONObject result = null;
diff --git a/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/SQLConfig.java b/APIJSON-Java-Server/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/SQLConfig.java
@@ -52,7 +52,7 @@ public interface SQLConfig {
 	 * @return
 	 * @throws Exception
 	 */
-	String getSQL(boolean isPrepared) throws Exception;
+	String getSQL(boolean prepared) throws Exception;
 
 
 	
@@ -154,5 +154,9 @@ public interface SQLConfig {
 	SQLConfig putWhere(String key, Object value);
 	
 	
-	List<Object> getPreparedValues();
+	boolean isPrepared();
+	
+	AbstractSQLConfig setPrepared(boolean prepared);
+	
+	List<Object> getPreparedValueList();
 }
