SQL注入 考试管理修改

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/components/sqlzdy/Service/SwdlServiceImpl.java

@@ -210,37 +210,37 @@ public class SwdlServiceImpl extends GenericProvider implements SwdlService {
             stringObjectHashMap.put("limit", map.get("limit"));
             stringObjectHashMap.put("startPage", map.get("startPage"));
             stringObjectHashMap.put("locationId", getDiDian());
-            Map param = (Map) map.get("param");
-            Map mapOrder = (Map)map.get("order");
-            String kaoShiMingChen = (String) param.get("kaoShiMingChen");
-       /*     ArrayList kaoShiLeiXingList = (ArrayList) param.get("kaoShiLeiXing");
-            String sKaoShiLeiXing = String.join(",", kaoShiLeiXingList);
-            stringObjectHashMap.put("kaoShiLeiXing",sKaoShiLeiXing);*/
-            if(BeanUtils.isNotEmpty(param.get("kaoShiLeiXing"))){
-                stringObjectHashMap.put("kaoShiLeiXing", String.join(",", (ArrayList)param.get("kaoShiLeiXing")));
+            if(BeanUtils.isNotEmpty(map.get("param"))){
+                Map param = (Map) map.get("param");
+                String kaoShiMingChen = (String) param.get("kaoShiMingChen");
+                if(BeanUtils.isNotEmpty(param.get("kaoShiLeiXing"))){
+                    stringObjectHashMap.put("kaoShiLeiXing", String.join(",", (ArrayList)param.get("kaoShiLeiXing")));
+                }
+                if(BeanUtils.isNotEmpty(param.get("zhuangTai"))){
+                    stringObjectHashMap.put("zhuangTai", String.join(",", (ArrayList)param.get("zhuangTai")));
+                }
+                if(BeanUtils.isNotEmpty(param.get("tiKuId"))){
+                    stringObjectHashMap.put("tiKuId", String.join(",", (ArrayList)param.get("tiKuId")));
+                }
+                stringObjectHashMap.put("kaoShiMingChen",kaoShiMingChen);
+                stringObjectHashMap.put("chuangJianShiJUp",param.get("chuangJianShiJ^S"));
+                stringObjectHashMap.put("chuangJianShiJLower",param.get("chuangJianShiJ^E"));
+                stringObjectHashMap.put("faBuShiJianUp",param.get("faBuShiJian^S"));
+                stringObjectHashMap.put("faBuShiJianLower",param.get("faBuShiJian^E"));
             }
-            if(BeanUtils.isNotEmpty(param.get("zhuangTai"))){
-                stringObjectHashMap.put("zhuangTai", String.join(",", (ArrayList)param.get("zhuangTai")));
+            if(BeanUtils.isNotEmpty(map.get("sort"))){
+                Map mapOrder = (Map)map.get("sort");
+                if(BeanUtils.isNotEmpty(mapOrder.get("chuangJianShiJ"))){
+                    stringObjectHashMap.put("cjsj",(String) mapOrder.get("chuangJianShiJ"));
+                }else{
+                    stringObjectHashMap.put("cjsj",(String) "desc");
+                }
+                if(BeanUtils.isNotEmpty(mapOrder.get("faBuShiJian"))){
+                    stringObjectHashMap.put("fbsj",(String) mapOrder.get("faBuShiJian"));
+                }else{
+                    stringObjectHashMap.put("fbsj",(String) "desc");
+                }
             }
-            if(BeanUtils.isNotEmpty(param.get("tiKuId"))){
-                stringObjectHashMap.put("tiKuId", String.join(",", (ArrayList)param.get("tiKuId")));
-            }
-            stringObjectHashMap.put("kaoShiMingChen",kaoShiMingChen);
-            stringObjectHashMap.put("chuangJianShiJUp",param.get("chuangJianShiJ_Up"));
-            stringObjectHashMap.put("chuangJianShiJLower",param.get("chuangJianShiJ_Lower"));
-            stringObjectHashMap.put("faBuShiJianUp",param.get("faBuShiJian_Up"));
-            stringObjectHashMap.put("faBuShiJianLower",param.get("faBuShiJian_Lower"));
-            if(BeanUtils.isNotEmpty(mapOrder.get("chuangJianShiJ"))){
-                stringObjectHashMap.put("cjsj",(String) mapOrder.get("chuangJianShiJ"));
-            }else{
-                stringObjectHashMap.put("cjsj",(String) "desc");
-            }
-            if(BeanUtils.isNotEmpty(mapOrder.get("faBuShiJian"))){
-                stringObjectHashMap.put("fbsj",(String) mapOrder.get("faBuShiJian"));
-            }else{
-                stringObjectHashMap.put("fbsj",(String) "desc");
-            }
-            // String str = String.valueOf(map.get("data"));
         }
         return stringObjectHashMap;
     }
@@ -252,24 +252,26 @@ public class SwdlServiceImpl extends GenericProvider implements SwdlService {
             stringObjectHashMap.put("limit", map.get("limit"));
             stringObjectHashMap.put("startPage", map.get("startPage"));
             stringObjectHashMap.put("locationId", getDiDian());
-            Map param = (Map) map.get("param");
-            if(BeanUtils.isNotEmpty(param.get("examName"))){
-                stringObjectHashMap.put("examName","%"+param.get("examName")+"%");
-            }
-            if(BeanUtils.isNotEmpty(param.get("bankName"))){
-                stringObjectHashMap.put("bankName","%"+param.get("bankName")+"%");
-            }
-            if (BeanUtils.isEmpty(param.get("examinee"))) {
-                stringObjectHashMap.put("examinee", EXAMINEE);
-            }else{
-                stringObjectHashMap.put("examinee",param.get("examinee"));
-            }
-            stringObjectHashMap.put("startDateUp",param.get("startDate^S"));
-            stringObjectHashMap.put("startDateLower",param.get("startDate^E"));
-            stringObjectHashMap.put("limitDateUp",param.get("limitDate^S"));
-            stringObjectHashMap.put("limitDateLower",param.get("limitDate^E"));
-            if(BeanUtils.isNotEmpty(param.get("examType"))){
-                stringObjectHashMap.put("examType",String.join(",", (ArrayList)param.get("examType")));
+            if(BeanUtils.isNotEmpty(map.get("param"))){
+                Map param = (Map) map.get("param");
+                if(BeanUtils.isNotEmpty(param.get("examName"))){
+                    stringObjectHashMap.put("examName","%"+param.get("examName")+"%");
+                }
+                if(BeanUtils.isNotEmpty(param.get("bankName"))){
+                    stringObjectHashMap.put("bankName","%"+param.get("bankName")+"%");
+                }
+                if (BeanUtils.isEmpty(param.get("examinee"))) {
+                    stringObjectHashMap.put("examinee", EXAMINEE);
+                }else{
+                    stringObjectHashMap.put("examinee",param.get("examinee"));
+                }
+                stringObjectHashMap.put("startDateUp",param.get("startDate^S"));
+                stringObjectHashMap.put("startDateLower",param.get("startDate^E"));
+                stringObjectHashMap.put("limitDateUp",param.get("limitDate^S"));
+                stringObjectHashMap.put("limitDateLower",param.get("limitDate^E"));
+                if(BeanUtils.isNotEmpty(param.get("examType"))){
+                    stringObjectHashMap.put("examType",String.join(",", (ArrayList)param.get("examType")));
+                }
             }
         }
         return stringObjectHashMap;

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/components/sqlzdy/control/SwdlController.java

@@ -85,7 +85,6 @@ public class SwdlController extends GenericProvider {
         APIResult result = new APIResult<>();
         try {
             result = swdlService.queryExData(map);
-            //result = exManagementService.queryData(map);
         } catch (Exception e) {
             setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
         }

ibps-provider-root/modules/provider-business/src/main/resources/com/lc/ibps/klimsibps/mapping/UpdateDataTableMapper.xml

@@ -337,76 +337,18 @@
                 AND FIND_IN_SET(ex.ti_ku_id_,#{map.tiKuId})
             </if>
             <if test="@o.Ognl@isNotEmpty(map.chuangJianShiJUp)">
-                AND ex.chuang_jian_shi_j >= #{map.chuangJianShiJUp}
+                AND (ex.chuang_jian_shi_j >= #{map.chuangJianShiJUp} OR ex.chuang_jian_shi_j is null)
             </if>
             <if test="@o.Ognl@isNotEmpty(map.chuangJianShiJLower)">
-                AND ex.chuang_jian_shi_j <![CDATA[ <= ]]> #{map.chuangJianShiJLower}
+                AND (ex.chuang_jian_shi_j <![CDATA[ <= ]]> #{map.chuangJianShiJLower} OR ex.chuang_jian_shi_j is null)
             </if>
             <if test="@o.Ognl@isNotEmpty(map.faBuShiJianUp)">
-                AND ex.fa_bu_shi_jian_ >= #{map.faBuShiJianUp}
+                AND (ex.fa_bu_shi_jian_ >= #{map.faBuShiJianUp} OR ex.chuang_jian_shi_j is null)
             </if>
             <if test="@o.Ognl@isNotEmpty(map.faBuShiJianLower)">
-                AND ex.fa_bu_shi_jian_ <![CDATA[ <= ]]> #{map.faBuShiJianLower}
-            </if>
-        </where>
-        union all
-        select
-        qb.ti_ku_ming_cheng_ as bankName,
-        f.pei_xun_nei_rong_ as trainId,
-        ex.id_ as examId,
-        ex.ti_ku_id_ as bankId,
-        e.id_ as paperId,
-        ex.zhuang_tai_ as examState,
-        e.zhuang_tai_ as paperState,
-        qb.ti_shu_ as questionCount,
-        qb.zong_fen_ as totalScore,
-        ex.kao_shi_ming_chen as examName,
-        ex.kao_shi_lei_xing_ as examType,
-        ex.can_kao_ren_yuan_ as examinee,
-        e.kao_shi_ren_ as examineeId,
-        ex.create_by_ as createBy,
-        ex.chuang_jian_shi_j as createTime,
-        ex.fa_bu_shi_jian_ as publishDate,
-        ex.fa_bu_ren_ as publisher,
-        ex.xian_kao_shi_jian as limitDate,
-        ex.kao_shi_shi_chang as duration,
-        ex.xian_kao_ci_shu_ as limitCount,
-        ex.da_biao_zhan_bi_ as qualifiedRadio,
-        ex.ji_fen_fang_shi_ as scoringType,
-        ex.yun_xu_bao_ming_ as allowRegist,
-        ex.kao_shi_miao_shu_ as examDesc,
-        ex.shu_ju_yong_tu_ as dataType,
-        ex.sui_ji_chou_ti_ as isRand,
-        ex.chou_ti_fang_shi_ as randWay,
-        ex.sui_ji_ti_shu_ as randNumber,
-        ex.chou_ti_zong_fen_ as randScore,
-        ex.ti_mu_zong_shu_ as randTotal,
-        e.de_fen_ as score,
-        e.bao_ming_shi_jian as applyTime,
-        e.kai_shi_shi_jian_ as startTime,
-        e.jie_shu_shi_jian_ as endTime
-
-        from t_exams ex left join t_question_bank qb on ex.ti_ku_id_ = qb.id_
-        left join t_examination e on e.exam_id_ = ex.id_
-        left join t_rypxcjb f on f.id_=ex.guan_lian_id_
-        <where>
-            ex.di_dian_ = #{map.locationId}
-            <if test="@o.Ognl@isNotEmpty(map.kaoShiMingChen)">
-                and ex.kao_shi_ming_chen like CONCAT('%', #{map.kaoShiMingChen}, '%')
-            </if>
-            <if test="@o.Ognl@isNotEmpty(map.kaoShiLeiXing)">
-                AND FIND_IN_SET(ex.kao_shi_lei_xing_,#{map.kaoShiLeiXing})
-            </if>
-            <if test="@o.Ognl@isNotEmpty(map.zhuangTai)">
-                AND FIND_IN_SET(ex.zhuang_tai_,#{map.zhuangTai})
-            </if>
-            <if test="@o.Ognl@isNotEmpty(map.tiKuId)">
-                AND FIND_IN_SET(ex.ti_ku_id_,#{map.tiKuId})
+                AND (ex.fa_bu_shi_jian_ <![CDATA[ <= ]]> #{map.faBuShiJianLower} OR ex.chuang_jian_shi_j is null)
             </if>
-                and ex.chuang_jian_shi_j is null or ex.fa_bu_shi_jian_ is null
         </where>
-        order by createTime ${map.cjsj}, publishDate ${map.fbsj}
-            limit ${map.startPage},${map.limit}
      </select>
     <select id="selectExInfoByLocationCount" resultType="java.lang.Integer" parameterType="java.util.Map">
         select