Skip to content

Commit 3559ec9

Browse files
TommyLemonTommyLemon
committed
Server:优化查询ResultSet中的字段处理,提高性能,解决_key:alias漏洞以及@column中的AS和表达式限制
1 parent b67800b commit 3559ec9

File tree

1 file changed

+30
-63
lines changed
  • APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/zuo/biao/apijson/server/sql

1 file changed

+30
-63
lines changed

APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/zuo/biao/apijson/server/sql/SQLExecutor.java

Lines changed: 30 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,11 @@
1818
import java.sql.DatabaseMetaData;
1919
import java.sql.DriverManager;
2020
import java.sql.ResultSet;
21+
import java.sql.ResultSetMetaData;
2122
import java.sql.SQLException;
2223
import java.sql.Statement;
2324
import java.sql.Timestamp;
24-
import java.util.ArrayList;
2525
import java.util.HashMap;
26-
import java.util.List;
2726
import java.util.Map;
2827

2928
import com.alibaba.fastjson.JSON;
@@ -32,7 +31,6 @@
3231
import zuo.biao.apijson.JSONResponse;
3332
import zuo.biao.apijson.Log;
3433
import zuo.biao.apijson.StringUtil;
35-
import zuo.biao.apijson.server.Pair;
3634
import zuo.biao.apijson.server.Parser;
3735

3836
/**executor for query(read) or update(write) MySQL database
@@ -215,69 +213,50 @@ public JSONObject execute(SQLConfig config) throws Exception {
215213
return result;
216214
}
217215

218-
String[] columnArray = getColumnArray(config);
219-
if (columnArray == null || columnArray.length <= 0) {
220-
return null;
221-
}
222-
223216
rs = statement.executeQuery(sql);
224217

225218
// final boolean cache = config.getCount() != 1;
226219
Map<Integer, JSONObject> resultMap = new HashMap<Integer, JSONObject>();
227220
// Log.d(TAG, "select cache = " + cache + "; resultMap" + (resultMap == null ? "=" : "!=") + "null");
228221

229222
int index = -1;
223+
224+
ResultSetMetaData rsmd = rs.getMetaData();
225+
final int length = rsmd.getColumnCount();
226+
230227
while (rs.next()){
231228
index ++;
232229
Log.d(TAG, "\n\n<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n select while (rs.next()){ index = " + index + "\n\n");
233230

234231
result = new JSONObject(true);
235232
Object value;
236-
Object json;
237-
for (int i = 0; i < columnArray.length; i++) {
238-
if (columnArray[i] == null || columnArray[i].isEmpty() || columnArray[i].startsWith("_")) {
233+
234+
for (int i = 1; i <= length; i++) {
235+
if (rsmd.getColumnName(i).startsWith("_")) {
239236
Log.i(TAG, "select while (rs.next()){ ..."
240-
+ " >> columnArray[i] == " + columnArray[i]
241-
+ " >> continue;");
237+
+ " >> rsmd.getColumnName(i).startsWith(_) >> continue;");
242238
continue;
243-
}//允许 key:_alias, 但不允许_key, _key:alias
244-
columnArray[i] = Pair.parseEntry(columnArray[i]).getValue();
245-
try {
246-
value = rs.getObject(rs.findColumn(columnArray[i]));
247-
} catch (Exception e) {
248-
value = null;
249-
Log.i(TAG, "select while (rs.next()){ ..."
250-
+ " >> try { value = rs.getObject(rs.findColumn(columnArray[i])); ..."
251-
+ " >> } catch (Exception e) {");
252-
e.printStackTrace();
253239
}
254-
// if (value == null) {
255-
// Log.i(TAG, "select while (rs.next()){ ..." + " >> value == null >> continue;");
256-
// continue;
257-
// }
240+
241+
value = rs.getObject(i);
242+
// Log.d(TAG, "name:" + rsmd.getColumnName(i));
243+
// Log.d(TAG, "lable:" + rsmd.getColumnLabel(i));
244+
// Log.d(TAG, "type:" + rsmd.getColumnType(i));
245+
// Log.d(TAG, "typeName:" + rsmd.getColumnTypeName(i));
258246

259-
// Log.i(TAG, "select while (rs.next()) { >> for (int i = 0; i < columnArray.length; i++) {"
260-
// + "\n >>> columnArray[i]) = " + columnArray[i] + "; value = " + value);
247+
// Log.i(TAG, "select while (rs.next()) { >> for (int i = 0; i < length; i++) {"
248+
// + "\n >>> value = " + value);
261249

262250
if (value != null) { //数据库查出来的null和empty值都有意义,去掉会导致 Moment:{ @column:"content" } 部分无结果及中断数组查询!
263251
if (value instanceof Timestamp) {
264252
value = ((Timestamp) value).toString();
265253
}
266-
else if (value instanceof String) {
267-
try {
268-
json = JSON.parse((String) value);
269-
if (json != null && json instanceof JSON && StringUtil.isNotEmpty(json, true)) {
270-
value = json;
271-
}
272-
} catch (Exception e) {
273-
//太长 Log.i(TAG, "select while (rs.next()){ >> i = "
274-
// + i + " try { json = JSON.parse((String) value);"
275-
// + ">> } catch (Exception e) {\n" + e.getMessage());
276-
}
254+
else if (value instanceof String && isJSONType(rsmd, i)) { //json String
255+
value = JSON.parse((String) value);
277256
}
278257
}
279258

280-
result.put(columnArray[i], value);
259+
result.put(rsmd.getColumnLabel(i), value);
281260
}
282261

283262
resultMap.put(index, result);
@@ -296,31 +275,19 @@ else if (value instanceof String) {
296275
return resultMap.get(position);
297276
}
298277

299-
300-
/**获取要查询的字段名数组
301-
* @param config
278+
/**判断是否为JSON类型
279+
* @param rsmd
280+
* @param position
302281
* @return
303-
* @throws SQLException
304282
*/
305-
private String[] getColumnArray(SQLConfig config) throws SQLException {
306-
if (config == null) {
307-
return null;
308-
}
309-
String column = config.getColumn();
310-
if (StringUtil.isNotEmpty(column, true)) {
311-
return StringUtil.split(column);//column.contains(",") ? column.split(",") : new String[]{column};
312-
}
313-
314-
List<String> list = new ArrayList<String>();
315-
String table = config.getSQLTable();
316-
ResultSet rs = metaData.getColumns(config.getSchema(), null, table, "%");
317-
while (rs.next()) {
318-
Log.i(TAG, rs.getString(4));
319-
list.add(rs.getString(4));
283+
private boolean isJSONType(ResultSetMetaData rsmd, int position) {
284+
try {
285+
return rsmd.getColumnType(position) == 1 || rsmd.getColumnTypeName(position).toLowerCase().contains("json");
286+
} catch (SQLException e) {
287+
e.printStackTrace();
320288
}
321-
rs.close();
322-
323-
return list.toArray(new String[]{});
289+
return false;
324290
}
325291

292+
326293
}

0 commit comments

Comments
 (0)