sql防注入及返回类型

src/main/java/com/gyee/table/controller/TableHeaderController.java

@@ -1,15 +1,22 @@
 package com.gyee.table.controller;
 
+import com.alibaba.fastjson2.JSONObject;
 import com.gyee.table.entity.TableHeaderColumn;
 import com.gyee.table.mapper.ObjectAllMapper;
+import com.gyee.table.result.Result;
+import com.gyee.table.result.ResultCode;
+import com.gyee.table.service.IObjectService;
 import com.gyee.table.service.ITableHeaderColumnService;
 import com.gyee.table.service.ITableHeaderService;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
+import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 /**
  * <p>
@@ -28,7 +35,9 @@ public class TableHeaderController {
     @Resource
     private ITableHeaderColumnService tableHeaderColumnService;
     @Resource
-    private ObjectAllMapper objectMapper;
+    private IObjectService objectService;
+
+    private final static String regex = "#|/\\*|\\*/|--|\\buse\\b|\\binsert\\b|\\bdelete\\b|\\bupdate\\b|\\bcreate\\b|\\bdrop\\b|\\btruncate\\b|\\balter\\b|\\bgrant\\b|\\bexecute\\b|\\bexec\\b|\\bxp_cmdshell\\b|\\bcall\\b|\\bdeclare\\b|\\bsource\\b|\\bsql\\b|\\bchr\\b|\\bmid\\b|\\bmaster\\b|\\bchar\\b|\\bsitename\\b|\\bnet user\\b|;|-|\\+|,|\\btable\\b|\\bgroup_concat\\b|\\bcolumn_name\\b|\\binformation_schema.columns\\b|\\btable_schema\\b|//|/";
 
     @GetMapping("/header/{headername}")
     private List<TableHeaderColumn> header(@PathVariable String headername){
@@ -37,16 +46,13 @@ public class TableHeaderController {
         return header;
     }
     @PostMapping("/data")
-    private List<LinkedHashMap<String, Object>> getData(@RequestBody Map map){
-        String sql = (String) map.get("sql");
-        List<LinkedHashMap<String, Object>> lm = objectMapper.selectAll(sql);
-        System.out.println();
-        return lm;
+    private JSONObject getData(@RequestBody Map map){
+        return objectService.selectBySql(map);
     }
 
     @GetMapping("/test")
-    private List<TableHeaderColumn> test(){
-        List<TableHeaderColumn> list = tableHeaderColumnService.list();
-        return list;
+    private JSONObject test(){
+        //List<TableHeaderColumn> list = tableHeaderColumnService.list();
+        return Result.successData(ResultCode.SUCCESS,null);
     }
 }

src/main/java/com/gyee/table/result/Result.java

@@ -0,0 +1,72 @@
+package com.gyee.table.result;
+
+import com.alibaba.fastjson2.JSONObject;
+import lombok.Data;
+
+import java.io.Serializable;
+
+@Data
+public class Result implements Serializable {
+
+    private Integer code;
+    private String message;
+    private Object data;
+
+    public static JSONObject error(){
+        JSONObject json = new JSONObject();
+        json.put("code", ResultCode.ERROR.getCode());
+        json.put("msg", ResultCode.ERROR.getMessage());
+        return json;
+    }
+
+    public static JSONObject error(ResultCode resultCode){
+        JSONObject json = new JSONObject();
+        json.put("code", resultCode.getCode());
+        json.put("msg", resultCode.getMessage());
+        return json;
+    }
+
+    public static JSONObject error(ResultCode resultCode,String message){
+        JSONObject json = new JSONObject();
+        json.put("code", resultCode.getCode());
+        json.put("msg", resultCode.getMessage()+","+message);
+        return json;
+    }
+
+    public static JSONObject error(int code, String message){
+        JSONObject json = new JSONObject();
+        json.put("code", code);
+        json.put("msg", message);
+        return json;
+    }
+
+    public static JSONObject success(){
+        JSONObject json = new JSONObject();
+        json.put("code", ResultCode.SUCCESS.getCode());
+        json.put("msg", ResultCode.SUCCESS.getMessage());
+        return json;
+    }
+
+    public static JSONObject seccess(int code, String message){
+        JSONObject json = new JSONObject();
+        json.put("code", code);
+        json.put("msg", message);
+        return json;
+    }
+
+    public static JSONObject success(ResultCode resultCode){
+        JSONObject json = new JSONObject();
+        json.put("code", resultCode.getCode());
+        json.put("msg", resultCode.getMessage());
+        return json;
+    }
+
+    public static JSONObject successData(ResultCode code, Object data){
+        JSONObject json = new JSONObject();
+        json.put("code", code.getCode());
+        json.put("msg", code.getMessage());
+        json.put("data", data == null ? new JSONObject():data);
+        return json;
+    }
+
+}

src/main/java/com/gyee/table/result/ResultCode.java

@@ -0,0 +1,85 @@
+package com.gyee.table.result;
+
+/*
+ * #1001～1999 区间表示参数错误
+ * #2001～2999 区间表示用户错误
+ * #3001～3999 区间表示权限异常
+ */
+
+public enum ResultCode {
+    /* 成功 */
+    SUCCESS(200, "成功"),
+
+    /* 默认失败 */
+    ERROR(4000, "失败"),
+    ERROR_FILE_NO(4001, "文件未找到"),
+    ERROR_FILE_TYPE(4002, "文件类型不正确"),
+    ERROR_FILE_DATA(4003, "数据为空"),
+    ERROR_DATA_TYPE(4004, "数据格式不正确"),
+    ERROR_CONNECT(4005, "数据库连接异常"),
+    ERROR_DATA(4006, "数据库操作失败"),
+    ERROR_DATA_REPEAT(4007, "数据已存在"),
+    ERROR_MODEL(4008, "同场站不同机型至少启用一个模型"),
+    ERROR_SQL(4009, "sql语法不正确"),
+    ERROR_UNSUPPORTED_SQL(4010, "不支持的sql语句"),
+
+
+    /* 参数错误：1000～1999 */
+    PARAM_NOT_VALID(1001, "参数无效"),
+    PARAM_IS_BLANK(1002, "参数为空"),
+    PARAM_TYPE_ERROR(1003, "参数类型错误"),
+    PARAM_NOT_COMPLETE(1004, "参数缺失"),
+    ERROR_DATA_DIR(1005, "目录创建失败"),
+    ERROR_DATA_FILE(1006, "文件上传失败"),
+
+    /* 用户错误 */
+    USER_NOT_LOGIN(2001, "用户未登录"),
+    USER_ACCOUNT_ERROR(2002, "账号或密码错误"),
+    USER_FAIL_LOGIN(2003, "登录失败"),
+    USER_OUT_LOGIN(2004, "登出成功"),
+    USER_ERROR_TOKEN(2005, "登录已过期，请重新登录"),
+
+    /* 业务错误 */
+    NO_PERMISSION(3001, "没有权限"),
+    ERROR_ENABLE(3002, "模型为启用状态，不允许删除"),
+    ERROR_TASK(3003, "有正在进行的任务，请稍后在试");
+
+    private Integer code;
+    private String message;
+
+    ResultCode(Integer code, String message) {
+        this.code = code;
+        this.message = message;
+    }
+
+    public Integer getCode() {
+        return code;
+    }
+
+    public void setCode(Integer code) {
+        this.code = code;
+    }
+
+    public String getMessage() {
+        return message;
+    }
+
+    public void setMessage(String message) {
+        this.message = message;
+    }
+
+    /**
+     * 根据code获取message
+     *
+     * @param code
+     * @return
+     */
+    public static String getMessageByCode(Integer code) {
+        for (ResultCode ele : values()) {
+            if (ele.getCode().equals(code)) {
+                return ele.getMessage();
+            }
+        }
+        return null;
+    }
+}

src/main/java/com/gyee/table/service/IObjectService.java

@@ -1,5 +1,11 @@
 package com.gyee.table.service;
 
+import com.alibaba.fastjson2.JSONObject;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
 /**
  * <p>
  *  服务类
@@ -10,4 +16,5 @@ package com.gyee.table.service;
  */
 public interface IObjectService {
 
+    JSONObject selectBySql(Map map);
 }

src/main/java/com/gyee/table/service/impl/ObjectServiceImpl.java

@@ -1,7 +1,19 @@
 package com.gyee.table.service.impl;
 
+import com.alibaba.fastjson2.JSONObject;
+import com.gyee.table.mapper.ObjectAllMapper;
+import com.gyee.table.result.Result;
+import com.gyee.table.result.ResultCode;
+import com.gyee.table.service.IObjectService;
 import org.springframework.stereotype.Service;
 
+import javax.annotation.Resource;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 /**
  * <p>
  *  服务实现类
@@ -11,6 +23,27 @@ import org.springframework.stereotype.Service;
  * @since 2023-01-11
  */
 @Service
-public class ObjectServiceImpl {
+public class ObjectServiceImpl implements IObjectService {
+
+    private final static String regex = "#|/\\*|\\*/|--|\\buse\\b|\\binsert\\b|\\bdelete\\b|\\bupdate\\b|\\bcreate\\b|\\bdrop\\b|\\btruncate\\b|\\balter\\b|\\bgrant\\b|\\bexecute\\b|\\bexec\\b|\\bxp_cmdshell\\b|\\bcall\\b|\\bdeclare\\b|\\bsource\\b|\\bsql\\b|\\bchr\\b|\\bmid\\b|\\bmaster\\b|\\bchar\\b|\\bsitename\\b|\\bnet user\\b|;|-|\\+|,|\\btable\\b|\\bgroup_concat\\b|\\bcolumn_name\\b|\\binformation_schema.columns\\b|\\btable_schema\\b|//|/";
+    private Pattern compile = null;
+    {
+        compile = Pattern.compile(regex);
+    }
+
+    @Resource
+    private ObjectAllMapper objectMapper;
+
+    @Override
+    public JSONObject selectBySql(Map map) {
 
+        String sql = (String) map.get("sql");
+        Matcher matcher = compile.matcher(sql);
+        if(matcher.find()){
+            String group = matcher.group(0);
+            return Result.error(ResultCode.ERROR_UNSUPPORTED_SQL,"查看字符:"+group);
+        }
+        List<LinkedHashMap<String, Object>> lms = objectMapper.selectAll(sql);
+        return Result.successData(ResultCode.SUCCESS,lms);
+    }
 }

src/test/java/com/gyee/table/myTest.java

@@ -0,0 +1,9 @@
+package com.gyee.table;
+
+public class myTest {
+    public static void main(String[] args) {
+        String s = "/*";
+        String[] s1 = s.split(" ");
+        System.out.println();
+    }
+}