何书鹏 / jinzhupro · 提交

转到一个项目

作者 Karson
提交 0a164777fee1fddaa2ba319d4dd27516df206cb1 1 个父辈 dd83a625

新增搜索字段安全检测 

修复find_in_set多值时无法查询的BUG
移除冗余查询代码
内嵌 并排对比
正在显示 2 个修改的文件 包含 12 行增加6 行删除
... ... @@ -96,6 +96,9 @@ return [
'End time' => '结束时间',
'Create time' => '创建时间',
'Update time' => '更新时间',
'Createtime' => '创建时间',
'Updatetime' => '更新时间',
'Deletetime' => '删除时间',
'Flag' => '标志',
'Drag to sort' => '拖动进行排序',
'Redirect now' => '立即跳转',
... ...
... ... @@ -266,7 +266,6 @@ class Backend extends Controller
$tableName = '';
if ($relationSearch) {
if (!empty($this->model)) {
$name = \think\Loader::parseName(basename(str_replace('\\', '/', get_class($this->model))));
$name = $this->model->getTable();
$tableName = $name . '.';
}
... ... @@ -290,6 +289,9 @@ class Backend extends Controller
$where[] = [implode("|", $searcharr), "LIKE", "%{$search}%"];
}
foreach ($filter as $k => $v) {
if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $k)) {
continue;
}
$sym = isset($op[$k]) ? $op[$k] : '=';
if (stripos($k, ".") === false) {
$k = $tableName . $k;
... ... @@ -327,7 +329,12 @@ class Backend extends Controller
case 'FINDIN':
case 'FINDINSET':
case 'FIND_IN_SET':
$where[] = "FIND_IN_SET('{$v}', " . ($relationSearch ? $k : '`' . str_replace('.', '`.`', $k) . '`') . ")";
$v = is_array($v) ? $v : explode(',', str_replace(' ', ',', $v));
foreach ($v as $index => $item) {
$item = str_replace([' ', ',', "'"], '', $item);
$item = addslashes(htmlentities(strip_tags($item)));
$where[] = "FIND_IN_SET('{$item}', `" . ($relationSearch ? str_replace('.', '`.`', $k) : $k) . "`)";
}
break;
case 'IN':
case 'IN(...)':
... ... @@ -368,10 +375,6 @@ class Backend extends Controller
}
$where[] = [$k, str_replace('RANGE', 'BETWEEN', $sym) . ' time', $arr];
break;
case 'LIKE':
case 'LIKE %...%':
$where[] = [$k, 'LIKE', "%{$v}%"];
break;
case 'NULL':
case 'IS NULL':
case 'NOT NULL':
... ...