fix:sql注入修复

.gitignore

@@ -16,4 +16,5 @@
 /static/images/*.svg
 eta_api.exe
 eta_api.exe~
-/static/tmpFile/*
+/static/tmpFile/*
+etalogs/

controllers/cloud_disk.go

@@ -794,11 +794,10 @@ func (this *CloudDiskController) List() {
 	resourcePars := make([]interface{}, 0)
 	if keyword != "" {
 		// 有关键词时全局搜索
-		kw := "%" + keyword + "%"
 		menuCond += ` AND menu_name LIKE ? `
-		menuPars = append(menuPars, kw)
+		menuPars = append(menuPars, utils.GetLikeKeyword(keyword))
 		resourceCond += ` AND resource_name LIKE ? `
-		resourcePars = append(resourcePars, kw)
+		resourcePars = append(resourcePars, utils.GetLikeKeyword(keyword))
 	} else {
 		menuCond += ` AND parent_id = ? `
 		menuPars = append(menuPars, menuId)

controllers/data_manage/com_trade.go

@@ -1,11 +1,11 @@
 package data_manage
 
 import (
-	"fmt"
-	"github.com/rdlucklib/rdluck_tools/paging"
 	"eta/eta_api/models"
 	"eta/eta_api/models/data_manage"
 	"eta/eta_api/utils"
+	"fmt"
+	"github.com/rdlucklib/rdluck_tools/paging"
 	"time"
 )
 
@@ -236,7 +236,7 @@ func (this *EdbInfoController) ComTradeList() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += ` AND ( index_name_cn like ? or index_code like ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	list, err := data_manage.GetComTradeIndexList(condition, pars)

controllers/data_manage/excel_info.go

@@ -284,7 +284,7 @@ func (c *ExcelInfoController) List() {
 	}
 	if keyword != "" {
 		condition += ` AND  ( excel_name LIKE ? )`
-		pars = append(pars, `%`+keyword+`%`)
+		pars = utils.GetLikeKeywordPars(pars, keyword, 1)
 	}
 	if adminId > 0 {
 		condition += " AND sys_user_id = ? "

controllers/data_manage/future_good/future_good_edb_info.go

@@ -42,7 +42,7 @@ func (this *FutureGoodEdbInfoController) FutureGoodEdbInfoList() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += ` AND ( future_good_edb_name like ? or future_good_edb_code like ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	// @Param   RegionType   query   string  false       "交易所来源，海外还是国内"

controllers/data_manage/mysteel_chemical_data.go

@@ -345,7 +345,7 @@ func (this *EdbInfoController) MysteelChemicalSearch() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += " AND (index_name like ? OR index_code like ?) "
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	list, err := data_manage.GetMysteelChemicalIndex(condition, pars)
@@ -417,7 +417,7 @@ func (this *EdbInfoController) MysteelChemicalFrequency() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += " AND (index_name like ? OR index_code like ?) "
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	edbFrequencyList := make([]string, 0)
@@ -518,7 +518,7 @@ func (this *EdbInfoController) MysteelChemicalData() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += " AND (index_name like ? OR index_code like ?) "
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	//获取指标
@@ -599,7 +599,7 @@ func (this *EdbClassifyController) MysteelChemicalExport() {
 	keyword := this.GetString("Keyword")
 	if keyword != `` {
 		condition += " AND (index_name like ? OR index_code like ?) "
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	var frequencies []string
@@ -640,7 +640,7 @@ func (this *EdbClassifyController) MysteelChemicalExport() {
 		keyword := this.GetString("Keyword")
 		if keyword != `` {
 			tmpCondition += " AND (index_name like ? OR index_code like ?) "
-			tmpPars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+			pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 		}
 		//获取指标
 		secNameList, err := data_manage.GetMysteelChemicalIndex(tmpCondition, tmpPars)

controllers/data_manage/supply_analysis/variety.go

@@ -57,7 +57,7 @@ func (this *VarietyController) List() {
 
 	if keyword != `` {
 		condition += ` AND (a.variety_name like ? OR c.edb_code like ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	// 是否超管

controllers/english_report/english_company.go

@@ -2,14 +2,14 @@ package english_report
 
 import (
 	"encoding/json"
-	"fmt"
-	"github.com/rdlucklib/rdluck_tools/paging"
 	"eta/eta_api/controllers"
 	"eta/eta_api/models"
 	"eta/eta_api/models/system"
 	"eta/eta_api/services"
 	"eta/eta_api/services/alarm_msg"
 	"eta/eta_api/utils"
+	"fmt"
+	"github.com/rdlucklib/rdluck_tools/paging"
 	"strconv"
 	"strings"
 	"time"
@@ -62,8 +62,7 @@ func (this *EnglishCompanyController) List() {
 	var cond, order string
 	var pars []interface{}
 	if keywords != "" {
-		k := "%" + keywords + "%"
-		companyIds, e := models.GetEnCompanyIdsByKeyword(k)
+		companyIds, e := models.GetEnCompanyIdsByKeyword(keywords)
 		if e != nil {
 			br.Msg = "获取失败"
 			br.ErrMsg = "关键词获取英文客户IDs失败, Err: " + e.Error()

controllers/english_report/report.go

@@ -361,7 +361,8 @@ func (this *EnglishReportController) ListReport() {
 	var pars []interface{}
 
 	if keyWord != "" {
-		condition += ` AND (title LIKE '%` + keyWord + `%' OR admin_real_name LIKE '%` + keyWord + `%' ) `
+		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	}
 
 	if timeType == "" {
@@ -1056,7 +1057,7 @@ func (this *EnglishReportController) Author() {
 
 	if keyword != `` {
 		condition += ` AND report_author like ? `
-		pars = append(pars, "%"+keyword+"%")
+		pars = append(pars, utils.GetLikeKeyword(keyword))
 	}
 
 	_, items, err := models.GetReportAuthorList(condition, pars, 0, 10000)

controllers/ppt_english.go

@@ -68,7 +68,7 @@ func (this *PptEnglishController) ListPpt() {
 
 	if keyWord != "" {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyWord+"%", "%"+keyWord+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	}
 	total, err := ppt_english.GetPptEnglishListCount(condition, pars)
 

controllers/ppt_v2.go

@@ -69,7 +69,7 @@ func (this *PptV2Controller) ListPpt() {
 
 	if keyWord != "" {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyWord+"%", "%"+keyWord+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	}
 	total, err := models.GetPptV2ListCount(condition, pars)
 	if err != nil {

controllers/report.go

@@ -93,7 +93,8 @@ func (this *ReportController) ListReport() {
 	var pars []interface{}
 
 	if keyWord != "" {
-		condition += ` AND (title LIKE '%` + keyWord + `%' OR admin_real_name LIKE '%` + keyWord + `%' ) `
+		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	}
 	if startDate != "" {
 		condition += ` AND ` + timeType + ` >= ? `
@@ -986,7 +987,7 @@ func (this *ReportController) Author() {
 
 	if keyword != `` {
 		condition += ` AND report_author like ? `
-		pars = append(pars, "%"+keyword+"%")
+		pars = append(pars, utils.GetLikeKeyword(keyword))
 	}
 
 	_, items, err := models.GetReportAuthorList(condition, pars, 0, 10000)

controllers/report_author.go

@@ -2,9 +2,9 @@ package controllers
 
 import (
 	"encoding/json"
-	"github.com/rdlucklib/rdluck_tools/paging"
 	"eta/eta_api/models"
 	"eta/eta_api/utils"
+	"github.com/rdlucklib/rdluck_tools/paging"
 	"strings"
 	"time"
 )
@@ -57,7 +57,7 @@ func (this *ReportAuthorController) Author() {
 
 	if keyword != `` {
 		condition += ` AND report_author like ? `
-		pars = append(pars, "%"+keyword+"%")
+		pars = append(pars, utils.GetLikeKeyword(keyword))
 	}
 
 	total, items, err := models.GetReportAuthorList(condition, pars, startSize, pageSize)

controllers/sandbox/sandbox.go

@@ -62,7 +62,8 @@ func (this *SandboxController) List() {
 	}
 
 	if keyword != "" {
-		condition += ` AND  ( a.name LIKE '%` + keyword + `%'  OR  b.name LIKE '%` + keyword + `%' )`
+		condition += ` AND  ( a.name LIKE ? OR  b.name LIKE ? )`
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	//获取指标信息
@@ -176,7 +177,8 @@ func (this *SandboxController) FirstVersionList() {
 	condition += " AND b.curr_version < a.curr_version "
 
 	if keyword != "" {
-		condition += ` AND  ( a.name LIKE '%` + keyword + `%'  OR  b.name LIKE '%` + keyword + `%' )`
+		condition += ` AND  ( a.name LIKE ?  OR  b.name LIKE ? )`
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 
 	//获取指标信息
@@ -249,7 +251,8 @@ func (this *SandboxController) VersionList() {
 	condition += " AND b.curr_version < a.curr_version "
 
 	if keyWord != "" {
-		condition += ` AND  ( a.op_user_name LIKE '%` + keyWord + `%'  OR  a.name LIKE '%` + keyWord + `%' or a.op_user_name LIKE '%` + keyWord + `%'  OR  a.name LIKE '%` + keyWord + `%' )`
+		condition += ` AND  ( a.op_user_name LIKE ? OR  a.name LIKE ? or a.op_user_name LIKE ? OR  a.name LIKE ? )`
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 4)
 	}
 
 	//获取指标信息
@@ -786,7 +789,8 @@ func (this *SandboxController) ListByQuote() {
 	}
 
 	if keyword != "" {
-		condition += ` AND  ( a.name LIKE '%` + keyword + `%'  OR  b.name LIKE '%` + keyword + `%' OR  a.chart_permission_name LIKE '%` + keyword + `%' )`
+		condition += ` AND  ( a.name LIKE ?  OR  b.name LIKE ? OR  a.chart_permission_name LIKE ? )`
+		pars = utils.GetLikeKeywordPars(pars, keyword, 3)
 	}
 
 	//获取指标信息

controllers/semantic_analysis/sa_compare.go

@@ -698,7 +698,7 @@ func (this *SaCompareController) Search() {
 	existPars := make([]interface{}, 0)
 	if keyword != "" {
 		existCond += ` AND  ( title LIKE ? )`
-		existPars = append(existPars, `%`+keyword+`%`)
+		existPars = append(existPars, utils.GetLikeKeyword(keyword))
 	}
 	total, list, err = saCompare.GetPageItemsByCondition(startSize, pageSize, existCond, existPars, []string{}, "")
 	if err != nil && err.Error() != utils.ErrNoRow() {

controllers/sys_admin.go

@@ -76,7 +76,8 @@ func (this *SysAdminController) ListSysuser() {
 	}
 
 	if keyWord != "" {
-		condition += ` AND (real_name LIKE '%` + keyWord + `%' OR admin_name LIKE '%` + keyWord + `%' OR mobile LIKE '%` + keyWord + `%' )  `
+		condition += ` AND (real_name LIKE ? OR admin_name LIKE ? OR mobile LIKE ? ) `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 3)
 	}
 
 	var total int

controllers/sys_role_admin.go

@@ -2,12 +2,12 @@ package controllers
 
 import (
 	"encoding/json"
-	"github.com/rdlucklib/rdluck_tools/paging"
 	"eta/eta_api/models"
 	"eta/eta_api/models/system"
 	"eta/eta_api/models/system/request"
 	"eta/eta_api/models/system/response"
 	"eta/eta_api/utils"
+	"github.com/rdlucklib/rdluck_tools/paging"
 	"strconv"
 	"strings"
 	"time"
@@ -75,9 +75,8 @@ func (this *SysRoleAdminController) List() {
 
 	reqKeyword := this.GetString("Keyword")
 	if reqKeyword != "" {
-		reqKeyword = "%" + reqKeyword + "%"
 		condition += " AND (a.real_name LIKE ? OR a.mobile LIKE ?)"
-		pars = append(pars, reqKeyword, reqKeyword)
+		pars = utils.GetLikeKeywordPars(pars, reqKeyword, 2)
 	}
 	adminList, err := system.GetRoleAdminList(condition, pars, startSize, pageSize)
 	if err != nil {

controllers/target.go

@@ -81,7 +81,8 @@ func (this *TargetController) DataList() {
 	var pars []interface{}
 
 	if keyWord != "" {
-		condition += ` AND a.SEC_NAME LIKE '%` + keyWord + `%' `
+		condition += ` AND a.SEC_NAME LIKE ? `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 1)
 	}
 	if startDate != "" {
 		condition += ` AND c.DT >= ? `
@@ -3485,7 +3486,7 @@ func (this *TargetController) ExcelDataAdd() {
 					valueListMap[index] = valueMap["m"].(string)
 
 					// 09-27 千位分隔符时用 "m" 取字符串存数据库会把逗号当小数点，现在换用 "v" 直接取数字再转为字符串，看看会不会有问题
-					if ct, ok := valueMap["ct"].(map[string]interface{}); ok{
+					if ct, ok := valueMap["ct"].(map[string]interface{}); ok {
 						fa, _ := ct["fa"]
 						if fa == "#,##0.000" {
 							value = valueMap["v"]

models/classify.go

@@ -214,17 +214,19 @@ func GetClassifyList(startSize, pageSize int, keyWord, companyType string, hideD
 	} else if companyType == "权益" {
 		companyTypeSqlStr = " AND (id = 40 or parent_id = 40)  "
 	}
+	pars := make([]interface{}, 0)
 	if keyWord != "" {
 		sql = `SELECT * FROM (
                    SELECT * FROM classify
-                   WHERE parent_id=0 ` + companyTypeSqlStr + `  AND classify_name LIKE '%` + keyWord + `%'
+                   WHERE parent_id=0 ` + companyTypeSqlStr + `  AND classify_name LIKE ?
                    UNION
                    SELECT * FROM classify
-                   WHERE id IN(SELECT parent_id FROM classify
-                   WHERE parent_id>0 ` + companyTypeSqlStr + `  AND classify_name LIKE '%` + keyWord + `%')
+                   WHERE id IN( SELECT parent_id FROM classify
+                   WHERE parent_id>0 ` + companyTypeSqlStr + `  AND classify_name LIKE ? )
                    )AS t
                    ORDER BY sort ASC,create_time ASC
                    LIMIT ?,? `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	} else {
 		sql = `SELECT * FROM classify WHERE parent_id=0 ` + companyTypeSqlStr
 		if hideDayWeek == 1 {
@@ -232,8 +234,10 @@ func GetClassifyList(startSize, pageSize int, keyWord, companyType string, hideD
 		}
 		sql += ` ORDER BY sort ASC, create_time ASC LIMIT ?,? `
 	}
+	pars = append(pars, startSize, pageSize)
+
 	o := orm.NewOrmUsingDB("rddp")
-	_, err = o.Raw(sql, startSize, pageSize).QueryRows(&items)
+	_, err = o.Raw(sql, pars...).QueryRows(&items)
 	return
 }
 
@@ -246,16 +250,19 @@ func GetClassifyListCount(keyWord, companyType string, hideDayWeek int) (count i
 	} else if companyType == "权益" {
 		companyTypeSqlStr = " AND (id = 40 or parent_id = 40)  "
 	}
+
+	pars := make([]interface{}, 0)
+
 	if keyWord != "" {
 		sqlCount = `SELECT  COUNT(1) AS count FROM (
                SELECT * FROM classify
-               WHERE parent_id=0 ` + companyTypeSqlStr + `  AND classify_name LIKE '%` + keyWord + `%'
+               WHERE parent_id=0 ` + companyTypeSqlStr + `  AND classify_name LIKE ?
                UNION
                SELECT * FROM classify
                WHERE id IN(SELECT parent_id FROM classify
-               WHERE parent_id>0 ` + companyTypeSqlStr + `  AND classify_name LIKE '%` + keyWord + `%')
+               WHERE parent_id>0 ` + companyTypeSqlStr + `  AND classify_name LIKE ? )
                )AS t `
-
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 2)
 	} else {
 		sqlCount = `SELECT COUNT(1) AS count FROM classify WHERE parent_id=0 ` + companyTypeSqlStr
 		if hideDayWeek == 1 {
@@ -263,7 +270,7 @@ func GetClassifyListCount(keyWord, companyType string, hideDayWeek int) (count i
 		}
 	}
 	o := orm.NewOrmUsingDB("rddp")
-	err = o.Raw(sqlCount).QueryRow(&count)
+	err = o.Raw(sqlCount, pars...).QueryRow(&count)
 	return
 }
 
@@ -292,12 +299,16 @@ type FindByIdClassifyReq struct {
 func GetClassifyChild(parentId int, keyWord string) (items []*Classify, err error) {
 	o := orm.NewOrmUsingDB("rddp")
 	sql := ``
+	pars := make([]interface{}, 0)
 	if keyWord != "" {
-		sql = `SELECT * FROM classify WHERE parent_id=? AND classify_name LIKE '%` + keyWord + `%' ORDER BY create_time ASC `
+		sql = `SELECT * FROM classify WHERE classify_name LIKE ? AND parent_id=? ORDER BY create_time ASC `
+		pars = append(pars, utils.GetLikeKeyword(keyWord))
 	} else {
 		sql = `SELECT * FROM classify WHERE parent_id=? ORDER BY create_time ASC `
 	}
-	_, err = o.Raw(sql, parentId).QueryRows(&items)
+	pars = append(pars, parentId)
+	_, err = o.Raw(sql, pars...).QueryRows(&items)
+
 	return
 }
 
@@ -308,12 +319,16 @@ func GetClassifyChildByParentIds(parentId []int, keyWord string) (items []*Class
 	}
 	o := orm.NewOrmUsingDB("rddp")
 	sql := ``
+	pars := make([]interface{}, 0)
+	pars = append(pars, parentId)
 	if keyWord != "" {
-		sql = `SELECT * FROM classify WHERE parent_id IN (` + utils.GetOrmInReplace(parentIdLen) + `) AND classify_name LIKE '%` + keyWord + `%' ORDER BY create_time ASC `
+		sql = `SELECT * FROM classify WHERE parent_id IN (` + utils.GetOrmInReplace(parentIdLen) + `) AND classify_name LIKE ? ORDER BY create_time ASC `
+		pars = append(pars, utils.GetLikeKeyword(keyWord))
 	} else {
 		sql = `SELECT * FROM classify WHERE parent_id IN (` + utils.GetOrmInReplace(parentIdLen) + `) ORDER BY create_time ASC `
 	}
-	_, err = o.Raw(sql, parentId).QueryRows(&items)
+	_, err = o.Raw(sql, pars...).QueryRows(&items)
+
 	return
 }
 

models/data_manage/baiinfo_data.go

@@ -138,8 +138,8 @@ func GetBaiinfoIndexDataCount(indexCode string) (count int, err error) {
 // GetBaiinfoItemList 模糊查询Baiinfo数据库指标列表
 func GetBaiinfoItemList(keyword string) (items []*BaiinfoIndex, err error) {
 	o := orm.NewOrmUsingDB("data")
-	sql := "SELECT * FROM base_from_baiinfo_index WHERE CONCAT(index_name,index_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM base_from_baiinfo_index WHERE CONCAT(index_name,index_code) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 }
 

models/data_manage/base_from_eia_stero.go

@@ -134,7 +134,7 @@ func GetEiaSteoIndexDataList(indexCode string, startSize, pageSize int) (items [
 func GetEiaSteoItemList(keyword string) (items []*BaseFromEiaSteoIndexItem, err error) {
 	o := orm.NewOrmUsingDB("data")
 	sql := "SELECT * FROM base_from_eia_steo_index WHERE index_name LIKE ?  OR index_code like ?"
-	_, err = o.Raw(sql, `%`+keyword+`%`, `%`+keyword+`%`).QueryRows(&items)
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 }
 

models/data_manage/chart_info.go

@@ -1102,15 +1102,15 @@ func ChartInfoExist(condition, edbInfoIdStr string) (count int, err error) {
 	return
 }
 
-func ChartInfoSearchByKeyWord(KeyWord string, showSysId int) (searchList []*ChartInfo, err error) {
+func ChartInfoSearchByKeyWord(keyword string, showSysId int) (searchList []*ChartInfo, err error) {
 	o := orm.NewOrmUsingDB("data")
 	sql := ` SELECT * FROM chart_info WHERE 1=1 `
 
 	var pars []interface{}
 
-	if KeyWord != "" {
+	if keyword != "" {
 		sql += `AND chart_name LIKE ?  `
-		pars = append(pars, "%"+KeyWord+"%")
+		pars = append(pars, utils.GetLikeKeyword(keyword))
 	}
 
 	if showSysId > 0 {
@@ -1118,7 +1118,7 @@ func ChartInfoSearchByKeyWord(KeyWord string, showSysId int) (searchList []*Char
 		pars = append(pars, showSysId)
 	}
 	sql += ` ORDER BY create_time DESC `
-	if KeyWord == "" {
+	if keyword == "" {
 		sql += ` LIMIT 100 `
 	}
 	_, err = o.Raw(sql, pars).QueryRows(&searchList)
@@ -1847,4 +1847,4 @@ func EditChartInfoExtraConfig(chartId int, extraConfig string) (err error) {
 	}
 
 	return
-}
+}

models/data_manage/coal_data.go

@@ -1,6 +1,7 @@
 package data_manage
 
 import (
+	"eta/eta_api/utils"
 	"fmt"
 	"github.com/beego/beego/v2/client/orm"
 )
@@ -15,8 +16,8 @@ type BaseFromCoalmineMapping struct {
 // GetCoalItemList 模糊查询Smm数据库指标列表
 func GetCoalItemList(keyword string) (items []*BaseFromCoalmineMapping, err error) {
 	o := orm.NewOrmUsingDB("data")
-	sql := "SELECT * FROM base_from_coalmine_mapping WHERE CONCAT(index_name,index_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM base_from_coalmine_mapping WHERE CONCAT(index_name,index_code) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 }
 

models/data_manage/edb_info.go

@@ -432,14 +432,16 @@ type ChartEdbInfo struct {
 	EdbNameAlias string `json:"-" description:"指标名称,别名"`
 }
 
-func EdbInfoSearchByKeyWord(KeyWord string) (searchList []*ChartEdbInfo, err error) {
+func EdbInfoSearchByKeyWord(keyword string) (searchList []*ChartEdbInfo, err error) {
+	pars := make([]interface{}, 0)
 	o := orm.NewOrmUsingDB("data")
 	sql := ` SELECT edb_info_id,edb_name,source_name FROM edb_info WHERE 1=1 AND edb_info_type = 0  `
-	if KeyWord != "" {
-		sql += ` AND (edb_name LIKE '%` + KeyWord + `%' OR edb_code LIKE '%` + KeyWord + `%' ) `
+	if keyword != "" {
+		sql += ` AND (edb_name LIKE ? OR edb_code LIKE ? ) `
+		pars = append(pars, utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword))
 	}
 	sql += ` ORDER BY create_time DESC `
-	_, err = o.Raw(sql).QueryRows(&searchList)
+	_, err = o.Raw(sql, pars...).QueryRows(&searchList)
 
 	return
 }

models/data_manage/gl_data.go

@@ -1,6 +1,7 @@
 package data_manage
 
 import (
+	"eta/eta_api/utils"
 	"github.com/beego/beego/v2/client/orm"
 	"github.com/rdlucklib/rdluck_tools/paging"
 )
@@ -125,8 +126,8 @@ type GlSearchIndex struct {
 // GetGlItemList 模糊查询隆众数据库指标列表
 func GetGlItemList(keyword string) (items []*GlSearchIndex, err error) {
 	o := orm.NewOrmUsingDB("gl")
-	sql := "SELECT * FROM mb_index_main_info WHERE CONCAT(INDEX_NAME,INDEX_CODE) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM mb_index_main_info WHERE CONCAT(INDEX_NAME,INDEX_CODE) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 
 }

models/data_manage/sci_data.go

@@ -1,9 +1,9 @@
 package data_manage
 
 import (
+	"eta/eta_api/utils"
 	"github.com/beego/beego/v2/client/orm"
 	"github.com/rdlucklib/rdluck_tools/paging"
-	"eta/eta_api/utils"
 )
 
 type SciClassify struct {
@@ -138,8 +138,8 @@ func GetSciIndexDataCount(indexCode string) (count int, err error) {
 // GetSciItemList 模糊查询Sci数据库指标列表
 func GetSciItemList(keyword string) (items []*SciIndex, err error) {
 	o := orm.NewOrmUsingDB("data")
-	sql := "SELECT * FROM base_from_sci_index WHERE CONCAT(index_name,index_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM base_from_sci_index WHERE CONCAT(index_name,index_code) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 }
 

models/data_manage/smm_data.go

@@ -138,8 +138,8 @@ func GetSmmIndexDataCount(indexCode string) (count int, err error) {
 // GetSmmItemList 模糊查询Smm数据库指标列表
 func GetSmmItemList(keyword string) (items []*SmmIndex, err error) {
 	o := orm.NewOrmUsingDB("data")
-	sql := "SELECT * FROM base_from_smm_index WHERE CONCAT(index_name,index_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM base_from_smm_index WHERE CONCAT(index_name,index_code) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 }
 

models/data_source/longzhong.go

@@ -167,8 +167,8 @@ func GetLongzhongSurveyDataById(lzInfoId int) (items []*LongzhongSurveyData, err
 func GetLzItemList(keyword string) (items []*data_manage.LongzhongSurveyProduct, err error) {
 	o := orm.NewOrmUsingDB("edb")
 
-	sql := "SELECT * FROM longzhong_survey_product WHERE CONCAT(sample_name,breed_name,custom,quota_name,lz_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM longzhong_survey_product WHERE CONCAT(sample_name,breed_name,custom,quota_name,lz_code) LIKE ? "
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
 	return
 
 }

models/english_report.go

@@ -419,21 +419,21 @@ type EnglishClassifyListResp struct {
 }
 
 // GetEnglishClassifyRootId 获取一级分类列表
-func GetEnglishClassifyRootId(startSize, pageSize int, keyWord string) (items []*EnglishClassifyList, err error) {
+func GetEnglishClassifyRootId(startSize, pageSize int, keyword string) (items []*EnglishClassifyList, err error) {
 	sql := ``
 	o := orm.NewOrmUsingDB("rddp")
-	if keyWord != "" {
+	if keyword != "" {
 		sql = `SELECT * FROM (
 			                   SELECT * FROM english_classify
-                   WHERE parent_id=0 AND classify_name LIKE '%` + keyWord + `%'
+                   WHERE parent_id=0 AND classify_name ?
                    UNION
                    SELECT * FROM english_classify
                    WHERE id IN(SELECT parent_id FROM english_classify
-                   WHERE parent_id>0 AND classify_name LIKE '%` + keyWord + `%')
+                   WHERE parent_id>0 AND classify_name LIKE ?)
                    )AS t
                    ORDER BY sort ASC,create_time ASC
                    LIMIT ?,? `
-		_, err = o.Raw(sql, startSize, pageSize).QueryRows(&items)
+		_, err = o.Raw(sql, utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword), startSize, pageSize).QueryRows(&items)
 	} else {
 		sql = `SELECT * FROM english_classify WHERE parent_id=0 ORDER BY sort ASC,create_time ASC LIMIT ?,? `
 		_, err = o.Raw(sql, startSize, pageSize).QueryRows(&items)
@@ -441,19 +441,19 @@ func GetEnglishClassifyRootId(startSize, pageSize int, keyWord string) (items []
 	return
 }
 
-func GetEnglishClassifyListCount(keyWord string) (count int, err error) {
+func GetEnglishClassifyListCount(keyword string) (count int, err error) {
 	sqlCount := ``
 	o := orm.NewOrmUsingDB("rddp")
-	if keyWord != "" {
+	if keyword != "" {
 		sqlCount = `SELECT  COUNT(1) AS count FROM (
                SELECT * FROM english_classify
-               WHERE parent_id=0 AND classify_name LIKE '%` + keyWord + `%'
+               WHERE parent_id=0 AND classify_name LIKE ?
                UNION
                SELECT * FROM english_classify
                WHERE id IN(SELECT parent_id FROM english_classify
-               WHERE parent_id>0 AND classify_name LIKE '%` + keyWord + `%')
+               WHERE parent_id>0 AND classify_name LIKE ?)
                )AS t `
-		err = o.Raw(sqlCount).QueryRow(&count)
+		err = o.Raw(sqlCount, utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword)).QueryRow(&count)
 	} else {
 		sqlCount = `SELECT COUNT(1) AS count FROM english_classify WHERE parent_id=0`
 		err = o.Raw(sqlCount).QueryRow(&count)
@@ -462,18 +462,22 @@ func GetEnglishClassifyListCount(keyWord string) (count int, err error) {
 	return
 }
 
-func GetEnglishClassifyListByRootId(rootIds []int, keyWord string) (items []*EnglishClassifyList, err error) {
+func GetEnglishClassifyListByRootId(rootIds []int, keyword string) (items []*EnglishClassifyList, err error) {
 	sql := ``
+	pars := make([]interface{}, 0)
+
 	o := orm.NewOrmUsingDB("rddp")
-	if keyWord != "" {
+	if keyword != "" {
 		sql = `SELECT
 	a.*
 FROM
 	english_classify a
 	LEFT JOIN english_classify b ON a.root_id = b.id
 	LEFT JOIN english_classify c ON a.parent_id = c.id
-	WHERE a.parent_id>0 and a.classify_name LIKE '%` + keyWord + `%' and a.root_id IN (` + utils.GetOrmInReplace(len(rootIds)) + `)`
-		_, err = o.Raw(sql, rootIds).QueryRows(&items)
+	WHERE a.parent_id>0 and a.classify_name LIKE ? and a.root_id IN (` + utils.GetOrmInReplace(len(rootIds)) + `)`
+		pars = append(pars, utils.GetLikeKeyword(keyword))
+		pars = append(pars, rootIds)
+		_, err = o.Raw(sql, pars).QueryRows(&items)
 	} else {
 		sql = `SELECT * FROM english_classify WHERE parent_id>0 and root_id IN (` + utils.GetOrmInReplace(len(rootIds)) + `) `
 		_, err = o.Raw(sql, rootIds).QueryRows(&items)

models/english_report_email.go

@@ -1,6 +1,7 @@
 package models
 
 import (
+	"eta/eta_api/utils"
 	"github.com/beego/beego/v2/client/orm"
 	"github.com/rdlucklib/rdluck_tools/paging"
 	"time"
@@ -289,6 +290,6 @@ func GetEnCompanyIdsByKeyword(keyword string) (companyIds []int, err error) {
 			JOIN english_company AS b ON a.company_id = b.company_id AND b.is_deleted = 0
 			WHERE
 				a.is_deleted = 0 AND a.status = 1 AND (a.email LIKE ? OR a.mobile LIKE ? OR b.company_name LIKE ?)`
-	_, err = o.Raw(sql, keyword, keyword, keyword).QueryRows(&companyIds)
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword), utils.GetLikeKeyword(keyword)).QueryRows(&companyIds)
 	return
 }

models/report_chapter_ticker.go

@@ -1,6 +1,7 @@
 package models
 
 import (
+	"eta/eta_api/utils"
 	"github.com/beego/beego/v2/client/orm"
 	"time"
 )
@@ -61,8 +62,7 @@ func GetDailyBaseColumnList(keyword string, typeId int) (list []*DailyBaseColumn
 	sql := ` SELECT * FROM daily_base_column WHERE 1 = 1 `
 	pars := make([]interface{}, 0)
 	if keyword != "" {
-		keyword = "%" + keyword + "%"
-		pars = append(pars, keyword)
+		pars = append(pars, utils.GetLikeKeyword(keyword))
 		sql += ` AND base_column_name like ? `
 	}
 	pars = append(pars, typeId)

models/target.go

@@ -300,13 +300,16 @@ func EditEdbinfo(tradeCode, secName, unit, frequency, noticeTime string, classif
 
 func SearchTargetEntry(classifyId int, keyWord string) (items []*Edbinfo, err error) {
 	where := ""
+	pars := make([]interface{}, 0)
+	sql := `SELECT * FROM edbinfo WHERE LEFT(TRADE_CODE,1)='W' AND REMARK='手动' AND classify_id>0 AND classify_id=? `
+	pars = append(pars, classifyId)
 	if keyWord != "" {
-		where = `AND SEC_NAME LIKE '%` + keyWord + `%'`
+		sql += `AND SEC_NAME LIKE ? `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 1)
 	}
-	sql := `SELECT * FROM edbinfo WHERE LEFT(TRADE_CODE,1)='W' AND REMARK='手动' AND classify_id>0 AND classify_id=? `
 	sql += where
 	o := orm.NewOrmUsingDB("edb")
-	_, err = o.Raw(sql, classifyId).QueryRows(&items)
+	_, err = o.Raw(sql, pars...).QueryRows(&items)
 	return
 }
 
@@ -484,7 +487,8 @@ func GetDataListForExport(startDate, endDate, frequency, keyWord string, classif
 	where := ``
 	var pars []interface{}
 	if keyWord != "" {
-		where = ` AND SEC_NAME LIKE '%` + keyWord + `%`
+		where = ` AND SEC_NAME LIKE ? `
+		pars = utils.GetLikeKeywordPars(pars, keyWord, 1)
 	}
 	if startDate != "" {
 		where += ` AND create_date>=? `
@@ -1192,6 +1196,8 @@ type EdbInfoItem struct {
 func GetTargetItemList(classifyId, edbShowType int, frequency, keyword, tradeCode string, classifyIdStrList []string) (items []*EdbInfoItem, err error) {
 	o := orm.NewOrmUsingDB("edb")
 
+	pars := make([]interface{}, 0)
+
 	sql := ` SELECT a.*,'' modify_date,'' STATUS FROM edbinfo AS a `
 	if edbShowType != 0 {
 		sql = ` SELECT a.*,b.DT,'' modify_date,'' STATUS FROM edbinfo AS a 
@@ -1215,7 +1221,8 @@ left join edbdata b on a.TRADE_CODE=b.TRADE_CODE `
 	}
 	//关键字
 	if keyword != "" {
-		sql += ` AND (a.SEC_NAME like "%` + keyword + `%"  or a.TRADE_CODE like "%` + keyword + `%" )`
+		sql += ` AND (a.SEC_NAME like ?  or a.TRADE_CODE like ? )`
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 	//指定指标
 	if tradeCode != "" {
@@ -1240,8 +1247,9 @@ left join edbdata b on a.TRADE_CODE=b.TRADE_CODE `
 func GetLzItemList(keyword string) (items []*data_manage.LongzhongSurveyProduct, err error) {
 	o := orm.NewOrmUsingDB("edb")
 
-	sql := "SELECT * FROM longzhong_survey_product WHERE CONCAT(sample_name,breed_name,custom,quota_name,lz_code) LIKE '%" + keyword + "%'"
-	_, err = o.Raw(sql).QueryRows(&items)
+	sql := "SELECT * FROM longzhong_survey_product WHERE CONCAT(sample_name,breed_name,custom,quota_name,lz_code) LIKE ?"
+	_, err = o.Raw(sql, utils.GetLikeKeyword(keyword)).QueryRows(&items)
+
 	return
 
 }

services/data/edb_info.go

@@ -1985,7 +1985,7 @@ func GetMoveEdbChartList(source, userId int, keyword, classify string, startSize
 	case 1: //手工数据指标
 		if keyword != "" {
 			condition += ` AND (a.SEC_NAME LIKE ? OR a.TRADE_CODE like ? ) `
-			pars = append(pars, `%`+keyword+`%`, `%`+keyword+`%`)
+			pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 		}
 		if userId > 0 {
 			condition += ` AND a.user_id = ? `
@@ -2036,7 +2036,7 @@ func GetMoveEdbChartList(source, userId int, keyword, classify string, startSize
 	case 2: //钢联化工数据库
 		if keyword != `` {
 			condition += " AND (index_name like ? OR index_code like ? OR sys_user_real_name like ? ) "
-			pars = append(pars, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
+			pars = utils.GetLikeKeywordPars(pars, keyword, 3)
 		}
 		if userId > 0 {
 			condition += ` AND sys_user_id = ? `
@@ -2070,7 +2070,7 @@ func GetMoveEdbChartList(source, userId int, keyword, classify string, startSize
 	case 3, 4: //ETA指标库、ETA预测指标
 		if keyword != `` {
 			condition += " AND (edb_code like ? OR edb_name like ? OR sys_user_real_name like ? ) "
-			pars = append(pars, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
+			pars = utils.GetLikeKeywordPars(pars, keyword, 3)
 		}
 		if userId > 0 {
 			condition += ` AND sys_user_id = ? `
@@ -2110,7 +2110,7 @@ func GetMoveEdbChartList(source, userId int, keyword, classify string, startSize
 	case 5: //图库
 		if keyword != `` {
 			condition += " AND (chart_name like ?  OR sys_user_real_name like ? ) "
-			pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+			pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 		}
 		if userId > 0 {
 			condition += ` AND sys_user_id = ? `

services/data/manual.go

@@ -3,6 +3,7 @@ package data
 import (
 	"eta/eta_api/models/data_manage"
 	"eta/eta_api/models/system"
+	"eta/eta_api/utils"
 	"fmt"
 )
 
@@ -25,7 +26,8 @@ func GetManualSysUser(keyWord string) (list []*data_manage.ManualSysUser, err er
 		var pars []interface{}
 
 		if keyWord != "" {
-			condition += ` AND (real_name LIKE '%` + keyWord + `%' OR admin_name LIKE '%` + keyWord + `%' OR mobile LIKE '%` + keyWord + `%' )  `
+			condition += ` AND (real_name LIKE ? OR admin_name LIKE ? OR mobile LIKE ? )  `
+			pars = utils.GetLikeKeywordPars(pars, keyWord, 3)
 		}
 		sysUsers, err := system.GetSysUserItems(condition, pars)
 		if err != nil {

services/ppt/ppt_english_group.go

@@ -807,10 +807,9 @@ func SearchGroupPptEnglish(keyWord string) (ret ppt_english.RespSearchGroupPptLi
 	//组装group ppt
 	list := make([]*ppt_english.RespSearchGroupPptListItem, 0)
 	ret.List = list
-	reqKeyword := "%" + keyWord + "%"
 	condition := " and title like ? "
 	var pars []interface{}
-	pars = append(pars, reqKeyword)
+	pars = append(pars, utils.GetLikeKeyword(keyWord))
 	pptList, err := ppt_english.GetPptEnglishByCondition(condition, pars)
 	if err != nil {
 		err = errors.New("查询ppt列表出错:" + err.Error())
@@ -1204,7 +1203,7 @@ func GetMyPptEnglishList(adminId int, keyword string) (ret ppt_english.RespGroup
 
 	if keyword != `` {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 	pptList, err := ppt_english.GetAllPptEnglishList(condition, pars)
 
@@ -1261,7 +1260,7 @@ func GetSharePptEnglishList(adminId int, keyword string, isPrivate bool) (ret pp
 	}
 	if keyword != `` {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 	pptList, err := ppt_english.GetAllPptEnglishList(condition, pars)
 
@@ -1318,7 +1317,7 @@ func GetGrantPptEnglishList(adminId int, keyword, sourceType string) (ret ppt_en
 
 	if keyword != `` {
 		condition += ` AND a.title LIKE ? `
-		pars = append(pars, "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 1)
 	}
 
 	pptList, err := ppt_english.GetGrantList(condition, pars)

services/ppt/ppt_group.go

@@ -1548,7 +1548,7 @@ func GetMyPptList(adminId int, keyword string) (ret models.RespGroupPptList, err
 
 	if keyword != `` {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 	pptList, err := models.GetAllPptV2List(condition, pars)
 
@@ -1606,7 +1606,7 @@ func GetSharePptList(adminId int, keyword string, isPrivate bool) (ret models.Re
 	}
 	if keyword != `` {
 		condition += ` AND (title LIKE ? OR admin_real_name LIKE ? ) `
-		pars = append(pars, "%"+keyword+"%", "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 2)
 	}
 	pptList, err := models.GetAllPptV2List(condition, pars)
 
@@ -1664,7 +1664,7 @@ func GetGrantPptList(adminId int, keyword, sourceType string) (ret models.RespGr
 
 	if keyword != `` {
 		condition += ` AND a.title LIKE ? `
-		pars = append(pars, "%"+keyword+"%")
+		pars = utils.GetLikeKeywordPars(pars, keyword, 1)
 	}
 
 	pptList, err := models.GetGrantList(condition, pars)

utils/common.go

@@ -2141,3 +2141,34 @@ func DealDateTimeZero(t time.Time, format string) (timeStr string) {
 	}
 	return
 }
+
+// GetLikeKeyword
+//
+//	@Description: 获取sql查询中的like查询字段
+//	@author: Roc
+//	@datetime2023-10-23 14:46:32
+//	@param keyword string
+//	@return string
+func GetLikeKeyword(keyword string) string {
+	return `%` + keyword + `%`
+}
+
+// GetLikeKeywordPars
+//
+//	@Description: 获取sql查询中的参数切片
+//	@author: Roc
+//	@datetime2023-10-23 14:50:18
+//	@param pars []interface{}
+//	@param keyword string
+//	@param num int
+//	@return newPars []interface{}
+func GetLikeKeywordPars(pars []interface{}, keyword string, num int) (newPars []interface{}) {
+	newPars = pars
+	if newPars == nil {
+		newPars = make([]interface{}, 0)
+	}
+	for i := 1; i <= num; i++ {
+		newPars = append(newPars, `%`+keyword+`%`)
+	}
+	return
+}