Skip to content
This repository has been archived by the owner on Jan 4, 2020. It is now read-only.

Commit

Permalink
改进聚合查询安全性
Browse files Browse the repository at this point in the history
  • Loading branch information
@liu21st
liu21st committed Oct 18, 2018
1 parent eca555e commit 43d3d95
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 7 deletions.
4 changes: 2 additions & 2 deletions ThinkPHP/Library/Think/Db/Driver.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,12 +448,12 @@ protected function bindParam($name, $value)

/**
* 字段和表名处理
* @access protected
* @access public
* @param string $key
* @param bool $strict
* @return string
*/
protected function parseKey($key, $strict = false)
public function parseKey($key, $strict = false)
{
return $key;
}
Expand Down
9 changes: 7 additions & 2 deletions ThinkPHP/Library/Think/Db/Driver/Mysql.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,19 @@ public function getTables($dbName = '')

/**
* 字段和表名处理
* @access protected
* @access public
* @param string $key
* @param bool $strict
* @return string
*/
protected function parseKey($key, $strict = false)
public function parseKey($key, $strict = false)
{
$key = trim($key);

if ($strict && !preg_match('/^[\w\.\*]+$/', $key)) {
E('not support data:' . $key);
}

if ($strict || (!is_numeric($key) && !preg_match('/[,\'\"\*\(\)`.\s]/', $key))) {
$key = '`' . $key . '`';
}
Expand Down
9 changes: 7 additions & 2 deletions ThinkPHP/Library/Think/Db/Driver/Sqlsrv.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,14 +105,19 @@ protected function parseOrder($order)

/**
* 字段和表名处理
* @access protected
* @access public
* @param string $key
* @param bool $strict
* @return string
*/
protected function parseKey($key, $strict = false)
public function parseKey($key, $strict = false)
{
$key = trim($key);

if ($strict && !preg_match('/^[\w\.\*]+$/', $key)) {

This comment has been minimized.

Sign in to view

Copy link
@douginwai

douginwai Aug 5, 2019

添加的这部分代码导致 count('distinct(field)') not support data 错误
E('not support data:' . $key);
}

if ($strict || (!is_numeric($key) && !preg_match('/[,\'\"\*\(\)\[.\s]/', $key))) {
$key = '[' . $key . ']';
}
Expand Down
2 changes: 1 addition & 1 deletion ThinkPHP/Library/Think/Model.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,7 @@ public function __call($method, $args)
} elseif (in_array(strtolower($method), array('count', 'sum', 'min', 'max', 'avg'), true)) {
// 统计查询的实现
$field = isset($args[0]) ? $args[0] : '*';
return $this->getField(strtoupper($method) . '(' . $field . ') AS tp_' . $method);
return $this->getField(strtoupper($method) . '(' . $this->db->parseKey($field, true) . ') AS tp_' . $method);

This comment has been minimized.

Sign in to view

Copy link
@imdengshuang

imdengshuang Nov 21, 2018
edited
Loading

$this->db->parseKey($field, true)
聚合查询不应强制加 `
$this->db->parseKey($field,false)
} elseif (strtolower(substr($method, 0, 5)) == 'getby') {
// 根据某个字段获取记录
$field = parse_name(substr($method, 5));
Expand Down

0 comments on commit 43d3d95

Please sign in to comment.