直接SQL支持?占位符，放置SQL注入

778c6584 · zhouweidong · 628d0520 · 778c6584 · 778c6584 · 778c6584
--- a/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/mapper/%DE%Mapper.java.ftl
+++ b/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/mapper/%DE%Mapper.java.ftl
@@ -6,6 +6,7 @@ package ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().codeName?lower_c
 import java.util.List;
 import org.apache.ibatis.annotations.*;
+import java.util.Map;
 import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.baomidou.mybatisplus.core.metadata.IPage;
@@ -54,7 +55,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
      * @return
      */
     @Select("${r'${sql}'}")
-     List<JSONObject> selectBySQL(@Param("sql") String sql);
+     List<JSONObject> selectBySQL(@Param("sql") String sql, @Param("et")Map param);
    /**
    * 自定义更新SQL
@@ -62,7 +63,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
    * @return
    */
    @Update("${r'${sql}'}")
-    boolean updateBySQL(@Param("sql") String sql);
+    boolean updateBySQL(@Param("sql") String sql, @Param("et")Map param);
    /**
    * 自定义插入SQL
@@ -70,7 +71,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
    * @return
    */
    @Insert("${r'${sql}'}")
-    boolean insertBySQL(@Param("sql") String sql);
+    boolean insertBySQL(@Param("sql") String sql, @Param("et")Map param);
    /**
    * 自定义删除SQL
@@ -78,7 +79,7 @@ public interface ${item.getCodeName()}Mapper extends BaseMapper<${item.getCodeNa
    * @return
    */
    @Delete("${r'${sql}'}")
-    boolean deleteBySQL(@Param("sql") String sql);
+    boolean deleteBySQL(@Param("sql") String sql, @Param("et")Map param);
    <#comment>1：N关系中，在子实体中创建父实体的实例对象</#comment>
 	<#if de.getMinorPSDERs?? && de.getMinorPSDERs()??>

--- a/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/I%DE%Service.java.ftl
+++ b/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/I%DE%Service.java.ftl
@@ -32,8 +32,8 @@ public interface I${item.codeName}Service extends IService<${item.codeName}>{
    <@addIDESerivceBody />
-    List<JSONObject> select(String sql);
+    List<JSONObject> select(String sql, Map param);
-    boolean execute(String sql);
+    boolean execute(String sql, Map param);
 }
 <#comment>NoSQL存储-MongoDB</#comment>

--- a/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/impl/%DE%ServiceImpl.java.ftl
+++ b/SLN/%PUBPRJ%-core/src/main/java/%SYS_PKGPATH%/core/%MOD_PKGPATH%/service/impl/%DE%ServiceImpl.java.ftl
@@ -18,6 +18,7 @@ import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
+import java.util.Map;
 import java.util.HashSet;
 import java.util.HashMap;
 import java.util.Collection;
@@ -41,12 +42,6 @@ import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?low
 import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?lower_case}.service.I${de.getCodeName()}Service;
 import ${pub.getPKGCodeName()}.util.helper.CachedBeanCopier;
-<#if item.getAllPSDELogics()??>
-    <#list item.getAllPSDELogics() as logic>
-//import ${pub.getPKGCodeName()}.core.${item.getPSSystemModule().getCodeName()?lower_case}.service.logic.I${de.getCodeName()}${logic.getCodeName()}Logic;
-    </#list>
-</#if>
 <#comment>SQL存储-Mybatis</#comment>
 <#if de.getStorageMode()==1>
@@ -519,24 +514,24 @@ public class ${item.getCodeName()}ServiceImpl extends ServiceImpl<${de.getCodeNa
    <#comment>输出自定义sql查询</#comment>
    @Override
-    public List<JSONObject> select(String sql){
+    public List<JSONObject> select(String sql, Map param){
-        return this.baseMapper.selectBySQL(sql);
+        return this.baseMapper.selectBySQL(sql,param);
    }
    @Override
    @Transactional
-    public boolean execute(String sql){
+    public boolean execute(String sql , Map param){
        if (sql == null || sql.isEmpty()) {
            return false;
        }
        if (sql.toLowerCase().trim().startsWith("insert")) {
-            return this.baseMapper.insertBySQL(sql);
+            return this.baseMapper.insertBySQL(sql,param);
        }
        if (sql.toLowerCase().trim().startsWith("update")) {
-            return this.baseMapper.updateBySQL(sql);
+            return this.baseMapper.updateBySQL(sql,param);
        }
        if (sql.toLowerCase().trim().startsWith("delete")) {
-            return this.baseMapper.deleteBySQL(sql);
+            return this.baseMapper.deleteBySQL(sql,param);
        }
        log.warn("暂未支持的SQL语法");
        return true;

--- a/SLN/%PUBPRJ%-core/src/main/resources/rules/%DE%%ITEM%Rule.drl.ftl
+++ b/SLN/%PUBPRJ%-core/src/main/resources/rules/%DE%%ITEM%Rule.drl.ftl
@@ -9,6 +9,7 @@ package ${pub.getPKGCodeName()}.${de.getPSSystemModule().codeName?lower_case}.lo
 <#comment>插入逻辑参数</#comment>
 <#if delogic.getPSDELogicParams?? && delogic.getPSDELogicParams()??>
 import java.util.Map;
+import java.util.HashMap;
 import com.alibaba.fastjson.JSONObject;
    <#list delogic.getPSDELogicParams() as logicParam>
        <#if logicParam.isDefault()==true>
@@ -100,12 +101,13 @@ ruleflow-group "${logicName+deLogicNode.getCodeName()?lower_case}"
                </#if>
            <#elseif deLogicNode.getLogicNodeType()=='RAWSQLCALL'><#comment>直接SQL</#comment>
            <#if deLogicNode.getPSDELogicNodeParams()??><#comment>是否包含参数列表</#comment>
-    String strSql=${getCallSQL(deLogicNode)};
+                <@getCallSQL2 deLogicNode/>
            <#else>
+    Map param = null;
    String strSql="${srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')}";
            </#if>
            <#if  deLogicNode.getDstPSDELogicParam?? && deLogicNode.getDstPSDELogicParam()?? ><#comment>配置返回参数</#comment>
-    java.util.List<JSONObject> entities=iBzSys${de.codeName?lower_case?cap_first}DefaultService.select(strSql);//SQL调用
+    java.util.List<JSONObject> entities=iBzSys${de.codeName?lower_case?cap_first}DefaultService.select(strSql,param);//SQL调用
    if(entities.size()>0){
            <#assign targetLogicParam=deLogicNode.getDstPSDELogicParam()>
        JSONObject entity=entities.get(0);
@@ -166,34 +168,63 @@ ruleflow-group "${logicName+deLogicNode.getCodeName()?lower_case}"
    </#list>
 </#if>
-<#comment>获取String.format拼接的sql</#comment>
+<#--<#comment>获取String.format拼接的sql</#comment>-->
-<#function getCallSQL deLogicNode>
+<#--<#function getCallSQL deLogicNode>-->
-    <#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>
+    <#--<#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>-->
-    <#comment>将sql中的?替换为%s ，如：select * from table where id=? ; select * from table where id = '%s' </#comment>
+    <#--<#comment>将sql中的?替换为%s ，如：select * from table where id=? ; select * from table where id = '%s' </#comment>-->
-    <#assign sql=sql?replace('%','%%')?replace('?','%s')>
+    <#--<#assign sql=sql?replace('%','%%')?replace('?','%s')>-->
-    <#assign strSQL="String.format(\""+sql+"\",">
+    <#--<#assign strSQL="String.format(\""+sql+"\",">-->
+    <#--<#list deLogicNode.getPSDELogicNodeParams() as nodeParam>-->
+        <#--<#assign  sqlParam="">-->
+        <#--<#if nodeParam.getSrcValueType()=='SRCDLPARAM'><#comment>源逻辑参数</#comment>-->
+            <#--<#assign  srcPSDELogicParam=nodeParam.getSrcPSDELogicParam()>-->
+            <#--<#assign  srcFieldName=nodeParam.getSrcFieldName()>-->
+            <#--<#if srcPSDELogicParam.getParamPSDataEntity?? && srcPSDELogicParam.getParamPSDataEntity()??><#comment>源逻辑参数选择了实体</#comment>-->
+                <#--<#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get(\""+srcFieldName?lower_case+"\")">-->
+            <#--</#if>-->
+        <#--<#elseif nodeParam.getSrcValueType()=='SRCVALUE'><#comment>直接值</#comment>-->
+            <#--<#assign sqlParam=nodeParam.getSrcValue()>-->
+        <#--<#else>-->
+            <#--<#assign sqlParam="null"><#comment>暂未支持其余准备参数设置</#comment>-->
+        <#--</#if>-->
+        <#--<#if nodeParam.getSrcValueType()=='SRCVALUE'>-->
+            <#--<#assign strSQL=strSQL+"\""+sqlParam+"\"">-->
+        <#--<#else>-->
+            <#--<#assign strSQL=strSQL+sqlParam>-->
+        <#--</#if>-->
+        <#--<#if nodeParam_has_next>-->
+            <#--<#assign strSQL=strSQL+",">-->
+        <#--</#if>-->
+    <#--</#list>-->
+    <#--<#assign strSQL=strSQL+")">-->
+    <#--<#return strSQL>-->
+<#--</#function>-->
+<#macro getCallSQL2 deLogicNode >
+    Map param =new HashMap();
+    <#comment>准备参数列表</#comment>
    <#list deLogicNode.getPSDELogicNodeParams() as nodeParam>
        <#assign  sqlParam="">
        <#if nodeParam.getSrcValueType()=='SRCDLPARAM'><#comment>源逻辑参数</#comment>
            <#assign  srcPSDELogicParam=nodeParam.getSrcPSDELogicParam()>
            <#assign  srcFieldName=nodeParam.getSrcFieldName()>
            <#if srcPSDELogicParam.getParamPSDataEntity?? && srcPSDELogicParam.getParamPSDataEntity()??><#comment>源逻辑参数选择了实体</#comment>
-                <#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get(\""+srcFieldName?lower_case+"\")">
+                <#assign srcRefDEFieldCodeName=srcPSDELogicParam.getParamPSDataEntity().getPSDEField(srcFieldName).codeName>
+                <#assign sqlParam=logicName+srcPSDELogicParam.getCodeName()?lower_case+".get"+srcRefDEFieldCodeName?cap_first+"()">
+            <#else>
+                //暂不支持非实体的逻辑参数赋值!
            </#if>
        <#elseif nodeParam.getSrcValueType()=='SRCVALUE'><#comment>直接值</#comment>
-            <#assign sqlParam=nodeParam.getSrcValue()>
+            <#assign sqlParam="\""+nodeParam.getSrcValue()+"\"">
        <#else>
            <#assign sqlParam="null"><#comment>暂未支持其余准备参数设置</#comment>
        </#if>
-        <#if nodeParam.getSrcValueType()=='SRCVALUE'>
+    param.put("param${nodeParam_index}",${sqlParam});
-            <#assign strSQL=strSQL+"\""+sqlParam+"\"">
+    </#list>
-        <#else>
+    <#comment>将占位符?替换为#{et.param1}</#comment>
-            <#assign strSQL=strSQL+sqlParam>
+    <#assign sql=srfjavasqlcode('${deLogicNode.getParam("PARAM4","")}')>
-        </#if>
+    <#list deLogicNode.getPSDELogicNodeParams() as nodeParam>
-        <#if nodeParam_has_next>
+        <#assign sql=sql?replace("?","#"+"{et.param"+nodeParam_index+"}","f")>
-            <#assign strSQL=strSQL+",">
-        </#if>
    </#list>
-    <#assign strSQL=strSQL+")">
+    String strSql="${sql}";
-    <#return strSQL>
+</#macro>
-</#function>
\ No newline at end of file
\ No newline at end of file