Skip to content

升级1.6.2 后老是提示 注意,值可能存在SQL注入风险 #2032

@lijinlang

Description

@lijinlang
版本号:1.6.2
问题描述:

升级1.6.2 后老是提示 注意,值可能存在SQL注入风险,没升级前都是正常的,有点搞不懂了,这语句该怎么写才没有注入风险

错误日志&截图:

43

Activity

zhangdaiscott

zhangdaiscott commented on Sep 24, 2023

@zhangdaiscott
Member

sql贴一下
并提供建表SQL

lijinlang

lijinlang commented on Sep 25, 2023

@lijinlang
Author

sql贴一下 并提供建表SQL

select cid,cgoods,cgoodsname,famount,fmoney,cmemo from fy_bus_sales where mid='${id}'

建表语句,我用的是Sqlserver

CREATE TABLE [dbo].[fy_bus_sales] (
[id] varchar(36) COLLATE Chinese_PRC_CI_AS NOT NULL,
[create_by] nvarchar(50) COLLATE Chinese_PRC_CI_AS NULL,
[create_time] datetime NULL,
[update_by] nvarchar(50) COLLATE Chinese_PRC_CI_AS NULL,
[update_time] datetime NULL,
[sys_org_code] nvarchar(64) COLLATE Chinese_PRC_CI_AS NULL,
[mid] nvarchar(50) COLLATE Chinese_PRC_CI_AS NULL,
[cid] nvarchar(50) COLLATE Chinese_PRC_CI_AS NULL,
[cgoods] nvarchar(50) COLLATE Chinese_PRC_CI_AS NULL,
[cgoodsname] nvarchar(150) COLLATE Chinese_PRC_CI_AS NULL,
[famount] decimal(10,2) NULL,
[fmoney] decimal(10,2) NULL,
[fwriteoff] decimal(10,2) NULL,
[cmemo] nvarchar(300) COLLATE Chinese_PRC_CI_AS NULL
)
GO

zhangdaiscott

zhangdaiscott commented on Sep 25, 2023

@zhangdaiscott
Member

测试无问题,看看后台日志提示的关键词是什么
image

lijinlang

lijinlang commented on Sep 25, 2023

@lijinlang
Author

我刚看过了是提示字段mid存在SQL注入关键词,这个字段名称都限制,我想应该跟注入关系不大吧

微信图片_20230925100204

zhangdaiscott

zhangdaiscott commented on Sep 25, 2023

@zhangdaiscott
Member

就是这个关键词导致的
校验的方法存在缺陷

lijinlang

lijinlang commented on Sep 25, 2023

@lijinlang
Author

那是要等更新了吗

zhangdaiscott

zhangdaiscott commented on Sep 25, 2023

@zhangdaiscott
Member

升级到

<dependency>
  <groupId>org.jeecgframework.jimureport</groupId>
  <artifactId>jimureport-spring-boot-starter</artifactId>
  <version>1.6.3</version>
</dependency>
Userluckytian

Userluckytian commented on Oct 17, 2023

@Userluckytian

same Problem。
sql为pg数据库,
建表语句:

CREATE TABLE "operation"."base_billrule" (
  "f_id" varchar(50) COLLATE "pg_catalog"."default" NOT NULL,
  "f_encode" varchar(50) COLLATE "pg_catalog"."default",
  "f_creatortime" timestamp(6),
);

语句为:select f_id, to_char(f_creatortime,'yyyy') nian FROM tablename
想要设置日期查询:
image

参考的处理方法:https://help.jeecg.com/jimureport/query/timeControl.html#%E9%97%AE%E9%A2%98

最终得到报错:
image

@zhangdaiscott

zhangdaiscott

zhangdaiscott commented on Oct 18, 2023

@zhangdaiscott
Member

使用to_char函数导致的

Userluckytian

Userluckytian commented on Oct 19, 2023

@Userluckytian

使用to_char函数导致的

是的,只是针对日期格式我们需要使用to_char函数。期望能帮忙解决下这个问题。 @zhangdaiscott

zhangdaiscott

zhangdaiscott commented on Oct 19, 2023

@zhangdaiscott
Member

下个版本处理

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zhangdaiscott@lijinlang@Userluckytian

        Issue actions

          升级1.6.2 后老是提示 注意,值可能存在SQL注入风险 · Issue #2032 · jeecgboot/jimureport