修复SQL注入漏洞

controllers/data_manage/excel/excel_info.go

@@ -466,14 +466,20 @@ func (c *ExcelInfoController) List() {
 		newKeyWord := strings.Split(keyword, " ")
 		keywordStr := strings.Replace(keyword, " ", "", -1)
 
-		condition += " AND ( "
-		condition += ` excel_name LIKE '%` + keywordStr + `%' OR`
+		likeKey := `%` + keywordStr + `%`
 
+		condition += " AND ( "
+		//condition += ` excel_name LIKE '%` + keywordStr + `%' OR`
+		condition += ` excel_name LIKE ? OR`
+		pars = append(pars, likeKey)
 		keyWordArr = append(keyWordArr, newKeyWord...)
 		if len(keyWordArr) > 0 {
 			for _, v := range keyWordArr {
 				if v != "" {
-					condition += ` excel_name LIKE '%` + v + `%' OR`
+					//condition += ` excel_name LIKE '%` + v + `%' OR`
+					likeKey := `%` + v + `%`
+					condition += ` excel_name LIKE ? OR`
+					pars = append(pars, likeKey)
 				}
 			}
 		}

controllers/data_manage/gpr_risk_data.go

@@ -256,20 +256,24 @@ func (this *BaseFromGprRiskController) GprRiskSearchList() {
 		keyWordArr := strings.Split(keyword, " ")
 
 		if len(keyWordArr) > 0 {
-			condition := ""
+			var condition string
+			var pars []interface{}
 			for _, v := range keyWordArr {
-				condition += ` AND CONCAT(index_name,index_code) LIKE '%` + v + `%'`
+				likeKey := `%` + v + `%`
+				condition += ` AND CONCAT(index_name,index_code) LIKE ? `
+				pars = append(pars, likeKey)
 			}
-			list, err = data_manage.GetGprRiskItemList(condition)
+			list, err = data_manage.GetGprRiskItemList(condition, pars)
 			if err != nil {
 				br.ErrMsg = "获取失败，Err:" + err.Error()
 				br.Msg = "获取失败"
 				return
 			}
 		}
-
 	} else {
-		list, err = data_manage.GetGprRiskItemList("")
+		var condition string
+		var pars []interface{}
+		list, err = data_manage.GetGprRiskItemList(condition, pars)
 		if err != nil {
 			br.ErrMsg = "获取失败，Err:" + err.Error()
 			br.Msg = "获取失败"

controllers/data_manage/purang_data.go

@@ -256,11 +256,15 @@ func (this *BaseFromPurangController) PurangSearchList() {
 		keyWordArr := strings.Split(keyword, " ")
 
 		if len(keyWordArr) > 0 {
-			condition := ""
+			var condition string
+			var pars []interface{}
 			for _, v := range keyWordArr {
-				condition += ` AND CONCAT(index_name,index_code) LIKE '%` + v + `%'`
+				//condition += ` AND CONCAT(index_name,index_code) LIKE '%` + v + `%'`
+				likeKey := `%` + v + `%`
+				condition += ` AND CONCAT(index_name,index_code) LIKE ? `
+				pars = append(pars, likeKey)
 			}
-			list, err = data_manage.GetPurangItemList(condition)
+			list, err = data_manage.GetPurangItemList(condition, pars)
 			if err != nil {
 				br.ErrMsg = "获取失败，Err:" + err.Error()
 				br.Msg = "获取失败"
@@ -269,7 +273,9 @@ func (this *BaseFromPurangController) PurangSearchList() {
 		}
 
 	} else {
-		list, err = data_manage.GetPurangItemList("")
+		var condition string
+		var pars []interface{}
+		list, err = data_manage.GetPurangItemList(condition, pars)
 		if err != nil {
 			br.ErrMsg = "获取失败，Err:" + err.Error()
 			br.Msg = "获取失败"
@@ -1042,4 +1048,4 @@ func (this *BaseFromPurangController) GetFrequency() {
 	br.Success = true
 	br.Msg = "获取成功"
 	br.Data = frequencyList
-} 
+}

controllers/material/material.go

@@ -786,22 +786,31 @@ func (this *MaterialController) List() {
 		switch this.Lang {
 		case utils.LANG_EN:
 			if len(keywordList) == 1 {
-				condition += ` AND  ( material_name_en LIKE '%` + keyword + `%' )`
+				likeKey := `%` + keyword + `%`
+
+				condition += ` AND  ( material_name_en LIKE ? )`
+				pars = append(pars, likeKey)
 			} else {
 				condition += ` AND  (`
 				for _, key := range keywordList {
-					condition += ` material_name_en LIKE '%` + key + `%' AND`
+					likeKey := `%` + key + `%`
+					condition += ` material_name_en LIKE ? AND`
+					pars = append(pars, likeKey)
 				}
 				condition = strings.TrimSuffix(condition, "AND")
 				condition += ` )`
 			}
 		default:
 			if len(keywordList) == 1 {
-				condition += ` AND  ( material_name LIKE '%` + keyword + `%' )`
+				likeKey := `%` + keyword + `%`
+				condition += ` AND  ( material_name LIKE ? )`
+				pars = append(pars, likeKey)
 			} else {
 				condition += ` AND  (`
 				for _, key := range keywordList {
-					condition += ` material_name LIKE '%` + key + `%' AND`
+					likeKey := `%` + key + `%`
+					condition += ` material_name LIKE ? AND `
+					pars = append(pars, likeKey)
 				}
 				condition = strings.TrimSuffix(condition, "AND")
 				condition += ` )`

controllers/sandbox/sandbox.go

@@ -1727,7 +1727,12 @@ func (this *SandboxController) ListV2() {
 		//pars = append(pars, chartClassifyId)
 	}
 	if keyWord != "" {
-		condition += ` AND  ( name LIKE '%` + keyWord + `%' )`
+
+		//condition += ` AND  ( name LIKE '%` + keyWord + `%' )`
+		likeKey := `%` + keyWord + `%`
+
+		condition += ` AND  name LIKE ? `
+		pars = append(pars, likeKey)
 	}
 
 	//只看我的

models/data_manage/base_from_gpr_risk.go

@@ -48,10 +48,10 @@ type BaseFromGprRiskIndexList struct {
 }
 
 func (baseFromGprRiskIndexList *BaseFromGprRiskIndexList) AfterFind(tx *gorm.DB) (err error) {
-			baseFromGprRiskIndexList.CreateTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskIndexList.CreateTime)
-			baseFromGprRiskIndexList.ModifyTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskIndexList.ModifyTime)
-			baseFromGprRiskIndexList.StartDate = utils.GormDateStrToDateStr(baseFromGprRiskIndexList.StartDate)
-			baseFromGprRiskIndexList.EndDate = utils.GormDateStrToDateStr(baseFromGprRiskIndexList.EndDate)
+	baseFromGprRiskIndexList.CreateTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskIndexList.CreateTime)
+	baseFromGprRiskIndexList.ModifyTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskIndexList.ModifyTime)
+	baseFromGprRiskIndexList.StartDate = utils.GormDateStrToDateStr(baseFromGprRiskIndexList.StartDate)
+	baseFromGprRiskIndexList.EndDate = utils.GormDateStrToDateStr(baseFromGprRiskIndexList.EndDate)
 	return
 }
 
@@ -180,9 +180,9 @@ func GetGprRiskDataDataTimeByIndexId(indexIdList []int) (items []string, err err
 	}
 	sql := ` SELECT DISTINCT data_time FROM base_from_gpr_risk_data WHERE base_from_gpr_risk_index_id IN (` + utils.GetOrmInReplace(len(indexIdList)) + `) ORDER BY data_time DESC`
 	err = global.DbMap[utils.DbNameIndex].Raw(sql, indexIdList).Find(&items).Error
-		for i, item := range items {
-			items[i] = utils.GormDateStrToDateStr(item)
-		}
+	for i, item := range items {
+		items[i] = utils.GormDateStrToDateStr(item)
+	}
 	return
 }
 
@@ -198,9 +198,9 @@ type BaseFromGprRiskData struct {
 }
 
 func (baseFromGprRiskData *BaseFromGprRiskData) AfterFind(tx *gorm.DB) (err error) {
-			baseFromGprRiskData.ModifyTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskData.ModifyTime)
-			baseFromGprRiskData.CreateTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskData.CreateTime)
-			baseFromGprRiskData.DataTime = utils.GormDateStrToDateStr(baseFromGprRiskData.DataTime)
+	baseFromGprRiskData.ModifyTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskData.ModifyTime)
+	baseFromGprRiskData.CreateTime = utils.GormDateStrToDateTimeStr(baseFromGprRiskData.CreateTime)
+	baseFromGprRiskData.DataTime = utils.GormDateStrToDateStr(baseFromGprRiskData.DataTime)
 	return
 }
 
@@ -223,12 +223,12 @@ type BatchCheckGprRiskEdbReq struct {
 }
 
 // GetGprRiskItemList 模糊查询GprRisk数据库指标列表
-func GetGprRiskItemList(condition string) (items []*BaseFromGprRiskIndexSearchItem, err error) {
+func GetGprRiskItemList(condition string, pars []interface{}) (items []*BaseFromGprRiskIndexSearchItem, err error) {
 	sql := "SELECT * FROM base_from_gpr_risk_index  WHERE 1=1"
 	if condition != "" {
 		sql += condition
 	}
-	err = global.DbMap[utils.DbNameIndex].Raw(sql).Find(&items).Error
+	err = global.DbMap[utils.DbNameIndex].Raw(sql, pars).Find(&items).Error
 	return
 }
 

models/data_manage/base_from_purang.go

@@ -14,39 +14,39 @@ import (
 
 type BaseFromPurangIndex struct {
 	BaseFromPurangIndexId int `orm:"column(base_from_purang_index_id);pk"`
-	ClassifyId             int
-	IndexCode              string
-	IndexName              string
-	Frequency              string
-	Unit                   string
-	Sort                   int
-	StartDate              time.Time `description:"开始日期"`
-	EndDate                time.Time `description:"结束日期"`
-	EndValue               float64
-	CreateTime             time.Time
-	ModifyTime             time.Time
+	ClassifyId            int
+	IndexCode             string
+	IndexName             string
+	Frequency             string
+	Unit                  string
+	Sort                  int
+	StartDate             time.Time `description:"开始日期"`
+	EndDate               time.Time `description:"结束日期"`
+	EndValue              float64
+	CreateTime            time.Time
+	ModifyTime            time.Time
 }
 
 type BaseFromPurangIndexList struct {
 	BaseFromPurangIndexId int `orm:"column(base_from_purang_index_id);pk"`
-	ClassifyId             int
-	Interface              string
-	EdbInfoId              int
-	EdbUniqueCode          string `description:"指标库唯一编码"`
-	EdbClassifyId          int    `description:"指标库分类ID"`
-	StartDate              string
-	EndDate                string
-	EndValue               float64
-	IndexCode              string
-	IndexName              string
-	Frequency              string
-	Unit                   string
-	Sort                   int
-	CreateTime             string
-	ModifyTime             string
-	EdbExist               int                    `description:"指标库是否已添加：0-否；1-是"`
-	DataList               []*BaseFromPurangData `gorm:"-"`
-	Paging                 *paging.PagingItem     `description:"分页数据" gorm:"-"`
+	ClassifyId            int
+	Interface             string
+	EdbInfoId             int
+	EdbUniqueCode         string `description:"指标库唯一编码"`
+	EdbClassifyId         int    `description:"指标库分类ID"`
+	StartDate             string
+	EndDate               string
+	EndValue              float64
+	IndexCode             string
+	IndexName             string
+	Frequency             string
+	Unit                  string
+	Sort                  int
+	CreateTime            string
+	ModifyTime            string
+	EdbExist              int                   `description:"指标库是否已添加：0-否；1-是"`
+	DataList              []*BaseFromPurangData `gorm:"-"`
+	Paging                *paging.PagingItem    `description:"分页数据" gorm:"-"`
 }
 
 func (baseFromPurangIndexList *BaseFromPurangIndexList) AfterFind(tx *gorm.DB) (err error) {
@@ -64,18 +64,18 @@ type BaseFromPurangIndexSearchList struct {
 
 type PurangSingleDataResp struct {
 	BaseFromPurangIndexId int
-	ClassifyId             int
-	EdbInfoId              int
-	IndexCode              string
-	IndexName              string
-	Frequency              string
-	Unit                   string
-	StartTime              string
-	CreateTime             string
-	ModifyTime             string
-	EdbExist               int                  `description:"指标库是否已添加：0-否；1-是"`
-	Data                   []*PurangSingleData `gorm:"-"`
-	Paging                 *paging.PagingItem   `description:"分页数据" gorm:"-"`
+	ClassifyId            int
+	EdbInfoId             int
+	IndexCode             string
+	IndexName             string
+	Frequency             string
+	Unit                  string
+	StartTime             string
+	CreateTime            string
+	ModifyTime            string
+	EdbExist              int                 `description:"指标库是否已添加：0-否；1-是"`
+	Data                  []*PurangSingleData `gorm:"-"`
+	Paging                *paging.PagingItem  `description:"分页数据" gorm:"-"`
 }
 
 type PurangSingleData struct {
@@ -191,12 +191,12 @@ func GetPurangDataDataTimeByIndexId(indexIdList []int) (items []string, err erro
 type BaseFromPurangData struct {
 	BaseFromPurangDataId  int `orm:"column(base_from_purang_data_id);pk"`
 	BaseFromPurangIndexId int
-	IndexCode              string
-	DataTime               string
-	Value                  string
-	CreateTime             string
-	ModifyTime             string
-	DataTimestamp          int64
+	IndexCode             string
+	DataTime              string
+	Value                 string
+	CreateTime            string
+	ModifyTime            string
+	DataTimestamp         int64
 }
 
 func (baseFromPurangData *BaseFromPurangData) AfterFind(tx *gorm.DB) (err error) {
@@ -208,10 +208,10 @@ func (baseFromPurangData *BaseFromPurangData) AfterFind(tx *gorm.DB) (err error)
 
 type BaseFromPurangIndexSearchItem struct {
 	BaseFromPurangIndexId int `orm:"column(base_from_purang_index_id);pk"`
-	ClassifyId             int
-	ParentClassifyId       int
-	IndexCode              string
-	IndexName              string
+	ClassifyId            int
+	ParentClassifyId      int
+	IndexCode             string
+	IndexName             string
 }
 
 // BatchCheckPurangEdbReq 指标数据结构体
@@ -224,12 +224,12 @@ type BatchCheckPurangEdbReq struct {
 }
 
 // GetPurangItemList 模糊查询Purang数据库指标列表
-func GetPurangItemList(condition string) (items []*BaseFromPurangIndexSearchItem, err error) {
+func GetPurangItemList(condition string, pars []interface{}) (items []*BaseFromPurangIndexSearchItem, err error) {
 	sql := "SELECT * FROM base_from_purang_index  WHERE 1=1"
 	if condition != "" {
 		sql += condition
 	}
-	err = global.DbMap[utils.DbNameIndex].Raw(sql).Find(&items).Error
+	err = global.DbMap[utils.DbNameIndex].Raw(sql, pars).Find(&items).Error
 	return
 }
 
@@ -271,7 +271,7 @@ func (item *BaseFromPurangIndex) Update(cols []string) (err error) {
 // EditPurangIndexInfoResp 新增指标的返回
 type EditPurangIndexInfoResp struct {
 	BaseFromPurangIndexId int    `description:"指标ID"`
-	IndexCode              string `description:"指标code"`
+	IndexCode             string `description:"指标code"`
 }
 
 type PurangIndexSource2EdbReq struct {
@@ -289,4 +289,4 @@ func GetPurangFrequencyByClassifyId(classifyId int) (items []*GlFrequency, err e
 	sql += ` GROUP BY frequency ORDER BY frequency ASC `
 	err = global.DbMap[utils.DbNameIndex].Raw(sql, classifyId).Find(&items).Error
 	return
-} 
+}

models/manual_edb.go

@@ -166,7 +166,11 @@ func GetEdbInfoSortList(condition string, pars []interface{}, startSize, pageSiz
 	if orderType == "" {
 		orderType = "DESC"
 	}
-	sql += ` ORDER BY a.` + orderField + ` ` + orderType
+	//sql += ` ORDER BY a.` + orderField + ` ` + orderType
+	sql += ` ORDER BY ? ?`
+
+	pars = append(pars, orderField)
+	pars = append(pars, orderType)
 
 	if pageSize > 0 {
 		sql += ` LIMIT ?,? `

models/material/material_classify.go

@@ -213,7 +213,10 @@ type SandboxLinkCheckResp struct {
 
 func GetMaterialClassifyByLevelPath(levelPath string) (items []*MaterialClassify, err error) {
 	o := global.DbMap[utils.DbNameReport]
-	sql := `SELECT * FROM material_classify where level_path like '` + levelPath + `%'`
-	err = o.Raw(sql).Find(&items).Error
+	//sql := `SELECT * FROM material_classify where level_path like '` + levelPath + `%'`
+	likeKey := `%` + levelPath + `%`
+	sql := `SELECT * FROM material_classify where level_path LIKE ? `
+
+	err = o.Raw(sql, likeKey).Find(&items).Error
 	return
 }

services/material/material.go

@@ -527,9 +527,13 @@ func GetBatchSelectedMaterialList(classifyId int, keyword string, isShowMe bool,
 	if keyword != "" {
 		switch lang {
 		case utils.LANG_EN:
-			condition += ` AND  ( material_name_en LIKE '%` + keyword + `%' )`
+			likeKey := `%` + keyword + `%`
+			condition += ` AND  ( material_name_en LIKE ? )`
+			pars = append(pars, likeKey)
 		default:
-			condition += ` AND  ( material_name LIKE '%` + keyword + `%' )`
+			likeKey := `%` + keyword + `%`
+			condition += ` AND  ( material_name LIKE ? )`
+			pars = append(pars, likeKey)
 		}
 	}