Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed the SQL Injection issue.
  • Loading branch information
m0ver committed Oct 2, 2022
1 parent 32c4427 commit 6ef0aab
Showing 1 changed file with 14 additions and 22 deletions.
36 changes: 14 additions & 22 deletions src/main/java/custom/application/search.java
Expand Up @@ -194,32 +194,24 @@ public Object query(String query) throws ApplicationException {
return this;
}

StringBuffer condition = new StringBuffer();
StringBuilder condition = new StringBuilder();
int i = 0, j, k = 0;
String _keyword;
String[] _keywords = new String[keywords.length];
while (i < keywords.length) {
_keyword = keywords[i];
if (_keyword.trim().length() > 0) {
if (condition.length() == 0) {
condition.append(" bible.content like '%" + _keyword + "%' ");
} else {
condition.append(" AND bible.content like '%" + _keyword + "%' ");
/*
* if(true)
* condition.append(" AND bible.content like '%"+keywords[i]+"%' ");
* else
* condition.append(" OR bible.content like '%"+keywords[i]+"%' ");
*/
}
_keywords[i] = "%" + keywords[i] + "%";
if (condition.length() == 0) {
condition.append(" bible.content like ? ");
} else {
condition.append(" AND bible.content like ? ");
}
i++;
}

Locale locale = this.getLocale();
if (condition.length() == 0)
condition.append(" book.language='" + locale + "' ");
condition.append(" book.language='").append(locale).append("' ");
else
condition.append(" AND book.language='" + locale + "' ");
condition.append(" AND book.language='").append(locale).append("' ");

book book = new book();
bible bible = new bible();
Expand All @@ -240,7 +232,7 @@ public Object query(String query) throws ApplicationException {
+ " as bible left join " + book.getTableName()
+ " as book on bible.book_id=book.book_id where " + condition;

Table vtable = bible.find(SQL, new Object[]{});
Table vtable = bible.find(SQL, _keywords);
boolean noResult = vtable.size() > 0;

if (!noResult && query.length() > 0) {
Expand All @@ -266,7 +258,7 @@ public Object query(String query) throws ApplicationException {
}
}

Row found = bible.findOne(look, new Object[]{});
Row found = bible.findOne(look, _keywords);

long startTime = System.currentTimeMillis();
Pager pager = new Pager();
Expand All @@ -277,7 +269,7 @@ public Object query(String query) throws ApplicationException {
Field field;
int next = pager.getStartIndex();// 此位置即为当前页的第一条记录的ID

html.append("<ol class=\"searchresults\" start=\"" + next + "\">\r\n");
html.append("<ol class=\"searchresults\" start=\"").append(next).append("\">\r\n");

String finded, word;
Row row;
Expand Down Expand Up @@ -349,7 +341,7 @@ public Object query(String query) throws ApplicationException {
html.append("<div class=\"pagination\" style=\"cursor:default\">"
+ pager.getPageControlBar(actionURL) + "</div>\r\n");
html.append("<!-- "
+ String.valueOf(System.currentTimeMillis() - startTime) + " -->");
+ (System.currentTimeMillis() - startTime) + " -->");

int start = page - 1 == 0 ? 1 : (page - 1) * pageSize + 1, end = page
* pageSize;
Expand Down Expand Up @@ -381,7 +373,7 @@ public Object query(String query) throws ApplicationException {
}

public String feed(String query) throws ApplicationException {
StringBuffer xml = new StringBuffer();
StringBuilder xml = new StringBuilder();
String finded = "";
String[] keywords;
boolean noResult = true;
Expand Down

0 comments on commit 6ef0aab

Please sign in to comment.