|
|
@@ -53,7 +53,7 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
response.setContentType("text/html;charset=UTF-8");
|
|
|
//操作失败处理
|
|
|
if (!"".equals(ErrorMessage)) {
|
|
|
- queryResult = "[{\"IsSuc\":\"" + "Fault" + "\",\"Msg\":\"" + ErrorMessage.replaceAll("'"," ").replaceAll("\\\\","\\\\\\\\") + "\",\"AllCount\":\"" + 0 + "\",\"pageIndex\":\"" + 0 + "\",\"CurrCount\":\"1\",\"pkid\":\"\",\"data\":" + "[{}]" + "}]";
|
|
|
+ queryResult = "[{\"IsSuc\":\"" + "Fault" + "\",\"Msg\":\"" + ErrorMessage.replaceAll("'", " ").replaceAll("\\\\", "\\\\\\\\") + "\",\"AllCount\":\"" + 0 + "\",\"pageIndex\":\"" + 0 + "\",\"CurrCount\":\"1\",\"pkid\":\"\",\"data\":" + "[{}]" + "}]";
|
|
|
String res = "Fault";
|
|
|
try {
|
|
|
res = queryResult.substring(11, 17);
|
|
|
@@ -77,8 +77,8 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
res = AnalyseSql.substring(0, 299);
|
|
|
}
|
|
|
//日志记录
|
|
|
- String sqlStr = " insert into " + tableName_Log + " (token,操作,传输数据,操作表,备注,result,sqlstr,ip) "
|
|
|
- + "values ('" + token + "','" + operation + "','" + variable + "','" + tablename + "','" + queryResult + "','" + res + "','" + AnalyseSql + "','" + ip + "')";
|
|
|
+ String sqlStr = " INSERT INTO MIDDB.\" " + tableName_Log + "\" (TOKEN,操作,传输数据,操作表,备注,RESULT,SQLSTR,IP) "
|
|
|
+ + "VALUES ('" + token + "','" + operation + "','" + variable + "','" + tablename + "','" + queryResult + "','" + res + "','" + AnalyseSql + "','" + ip + "')";
|
|
|
String Result_RZ = dbUtilSqlServer.UpadteDataBase(sqlStr);
|
|
|
//日志插入失败 再次插入
|
|
|
try {
|
|
|
@@ -115,13 +115,13 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
}
|
|
|
variable = variable.replaceAll(" ", "+");
|
|
|
Base64 base64 = new Base64();
|
|
|
- variable = new String(base64.decode(variable), "utf-8").replaceAll("'","''"); //接口传参base64解析
|
|
|
+ variable = new String(base64.decode(variable), "utf-8").replaceAll("'", "''"); //接口传参base64解析
|
|
|
JSONObject jsonObject = new JSONObject(); //字符串转json
|
|
|
JSONObject jsonObjData = JSON.parseObject(variable);
|
|
|
token = jsonObjData.getString("token");
|
|
|
operation = jsonObjData.getString("operation").toLowerCase();
|
|
|
tablename = jsonObjData.getString("tablename");
|
|
|
- if (tablename.toLowerCase().contains("select") || tablename.toLowerCase().contains("insert") || tablename.toLowerCase().contains("update")
|
|
|
+ if (tablename.toLowerCase().contains("select") || tablename.toLowerCase().contains("insert") || tablename.toLowerCase().contains("update ")
|
|
|
|| tablename.toLowerCase().contains("delete") || tablename.toLowerCase().contains("create") || tablename.toLowerCase().contains("drop")
|
|
|
|| tablename.toLowerCase().contains("alter")) {
|
|
|
ErrorMessage = "SQL注入非法请求!!!";
|
|
|
@@ -153,14 +153,14 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
String field2 = primary.split(",")[n].toLowerCase();
|
|
|
if (field2.toLowerCase().contains("select") || field2.toLowerCase().contains("insert") || field2.toLowerCase().contains("update")
|
|
|
|| field2.toLowerCase().contains("delete") || field2.toLowerCase().contains("create") || field2.toLowerCase().contains("drop")
|
|
|
- || field2.toLowerCase().contains("alter")) {
|
|
|
+ || field2.toLowerCase().contains("alter ")) {
|
|
|
ErrorMessage = "SQL注入非法请求!!!";
|
|
|
return "";
|
|
|
}
|
|
|
String value2 = where.split(",")[n].toLowerCase();
|
|
|
if (value2.toLowerCase().contains("select") || value2.toLowerCase().contains("insert") || value2.toLowerCase().contains("update")
|
|
|
|| value2.toLowerCase().contains("delete") || value2.toLowerCase().contains("create") || value2.toLowerCase().contains("drop")
|
|
|
- || value2.toLowerCase().contains("alter")) {
|
|
|
+ || value2.toLowerCase().contains("alter ")) {
|
|
|
ErrorMessage = "SQL注入非法请求!!!";
|
|
|
return "";
|
|
|
}
|
|
|
@@ -178,7 +178,7 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
String FieldsList = "";
|
|
|
//构建SQL语句
|
|
|
if (field.split(",").length == fieldtype.split(",").length && field.split(",").length == values.split("&;@", -1).length) {//判断field,fieldtype,values长度是否一致
|
|
|
- updateStr = "update " + tablename + " set ";
|
|
|
+ updateStr = "update MIDDB." + tablename + " set ";
|
|
|
for (int j = 0; j < fieldtypeArray.length; j++) {
|
|
|
if ("date".equals(fieldtypeArray[j].toString())) {
|
|
|
updateStr += field.split(",")[j] + " = convert(varchar(19),'" + values.split("&;@", -1)[j] + "',121),";
|
|
|
@@ -201,15 +201,15 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
insertValuesStr = insertValuesStr.substring(0, insertValuesStr.length() - 1);
|
|
|
FieldsList = FieldsList.substring(0, FieldsList.length() - 1);
|
|
|
}
|
|
|
- deleteStr = "delete from " + tablename;
|
|
|
- insertStr = " insert into " + tablename + "(" + FieldsList + ")" + "values(" + insertValuesStr + ")";
|
|
|
+ deleteStr = "delete from MIDDB." + tablename;
|
|
|
+ insertStr = " insert into MIDDB." + tablename + "(" + FieldsList + ")" + "values(" + insertValuesStr + ")";
|
|
|
|
|
|
switch (operation) {
|
|
|
case "insert":
|
|
|
AnalyseSql = insertStr + ";";
|
|
|
break;
|
|
|
case "update":
|
|
|
- updateStr += " ,createtime=getdate() "; //2022-10-14修改
|
|
|
+ updateStr += " ,CREATETIME=getdate() "; //2022-10-14修改
|
|
|
AnalyseSql = updateStr + whereStr + ";";
|
|
|
break;
|
|
|
case "delete":
|
|
|
@@ -217,7 +217,7 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
AnalyseSql = deleteStr + whereStr + ";";
|
|
|
break;
|
|
|
case "select":
|
|
|
- AnalyseSql = " select count(1) total from " + tablename + " " + whereStr;
|
|
|
+ AnalyseSql = " select count(1) total from MIDDB." + tablename + " " + whereStr;
|
|
|
break;
|
|
|
}
|
|
|
} else {
|
|
|
@@ -260,7 +260,7 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
res = AnalyseSql.substring(0, 299);
|
|
|
}
|
|
|
//日志记录
|
|
|
- String sqlStr = " insert into " + tableName_Log + " (token,操作,传输数据,操作表,备注,result,sqlstr,ip) values ('" + token + "','" + operation + "','" + variable + "','" + tablename + "','" + queryResult + "','" + res + "','" + AnalyseSql + "','" + ip + "')";
|
|
|
+ String sqlStr = " INSERT INTO MIDDB.\"" + tableName_Log + "\" (TOKEN,操作,传输数据,操作表,备注,RESULT,SQLSTR,IP) VALUES ('" + token + "','" + operation + "','" + variable + "','" + tablename + "','" + queryResult + "','" + res + "','" + AnalyseSql + "','" + ip + "')";
|
|
|
|
|
|
String Result_RZ = dbUtilSqlServer.UpadteDataBase(sqlStr);
|
|
|
//日志插入失败 再次插入
|
|
|
@@ -274,7 +274,7 @@ public class WSForSqlServiceImpl extends Thread implements WSForSqlService {
|
|
|
}
|
|
|
} catch (Exception ex) {
|
|
|
ex.printStackTrace();
|
|
|
- ErrorMessage = ex.toString().replaceAll("'"," ").replaceAll("\\\\","\\\\\\\\") + ex.getMessage().replaceAll("'"," ").replaceAll("\\\\","\\\\\\\\");
|
|
|
+ ErrorMessage = ex.toString().replaceAll("'", " ").replaceAll("\\\\", "\\\\\\\\") + ex.getMessage().replaceAll("'", " ").replaceAll("\\\\", "\\\\\\\\");
|
|
|
return "";
|
|
|
// queryResult = "[{\"IsSuc\":\""+"Fault"+"\",\"Msg\":\""+exception+"\",\"AllCount\":\""+0+"\",\"pageIndex\":\""+0+"\",\"CurrCount\":\"1\",\"pkid\":\"\",\"data\":"+"[{}]"+"}]" ;
|
|
|
// String res = "Fault";
|
