|
@@ -266,7 +266,6 @@ class Backend extends Controller |
|
@@ -266,7 +266,6 @@ class Backend extends Controller |
266
|
$tableName = '';
|
266
|
$tableName = '';
|
267
|
if ($relationSearch) {
|
267
|
if ($relationSearch) {
|
268
|
if (!empty($this->model)) {
|
268
|
if (!empty($this->model)) {
|
269
|
- $name = \think\Loader::parseName(basename(str_replace('\\', '/', get_class($this->model))));
|
|
|
270
|
$name = $this->model->getTable();
|
269
|
$name = $this->model->getTable();
|
271
|
$tableName = $name . '.';
|
270
|
$tableName = $name . '.';
|
272
|
}
|
271
|
}
|
|
@@ -290,6 +289,9 @@ class Backend extends Controller |
|
@@ -290,6 +289,9 @@ class Backend extends Controller |
290
|
$where[] = [implode("|", $searcharr), "LIKE", "%{$search}%"];
|
289
|
$where[] = [implode("|", $searcharr), "LIKE", "%{$search}%"];
|
291
|
}
|
290
|
}
|
292
|
foreach ($filter as $k => $v) {
|
291
|
foreach ($filter as $k => $v) {
|
|
|
292
|
+ if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $k)) {
|
|
|
293
|
+ continue;
|
|
|
294
|
+ }
|
293
|
$sym = isset($op[$k]) ? $op[$k] : '=';
|
295
|
$sym = isset($op[$k]) ? $op[$k] : '=';
|
294
|
if (stripos($k, ".") === false) {
|
296
|
if (stripos($k, ".") === false) {
|
295
|
$k = $tableName . $k;
|
297
|
$k = $tableName . $k;
|
|
@@ -327,7 +329,12 @@ class Backend extends Controller |
|
@@ -327,7 +329,12 @@ class Backend extends Controller |
327
|
case 'FINDIN':
|
329
|
case 'FINDIN':
|
328
|
case 'FINDINSET':
|
330
|
case 'FINDINSET':
|
329
|
case 'FIND_IN_SET':
|
331
|
case 'FIND_IN_SET':
|
330
|
- $where[] = "FIND_IN_SET('{$v}', " . ($relationSearch ? $k : '`' . str_replace('.', '`.`', $k) . '`') . ")";
|
332
|
+ $v = is_array($v) ? $v : explode(',', str_replace(' ', ',', $v));
|
|
|
333
|
+ foreach ($v as $index => $item) {
|
|
|
334
|
+ $item = str_replace([' ', ',', "'"], '', $item);
|
|
|
335
|
+ $item = addslashes(htmlentities(strip_tags($item)));
|
|
|
336
|
+ $where[] = "FIND_IN_SET('{$item}', `" . ($relationSearch ? str_replace('.', '`.`', $k) : $k) . "`)";
|
|
|
337
|
+ }
|
331
|
break;
|
338
|
break;
|
332
|
case 'IN':
|
339
|
case 'IN':
|
333
|
case 'IN(...)':
|
340
|
case 'IN(...)':
|
|
@@ -368,10 +375,6 @@ class Backend extends Controller |
|
@@ -368,10 +375,6 @@ class Backend extends Controller |
368
|
}
|
375
|
}
|
369
|
$where[] = [$k, str_replace('RANGE', 'BETWEEN', $sym) . ' time', $arr];
|
376
|
$where[] = [$k, str_replace('RANGE', 'BETWEEN', $sym) . ' time', $arr];
|
370
|
break;
|
377
|
break;
|
371
|
- case 'LIKE':
|
|
|
372
|
- case 'LIKE %...%':
|
|
|
373
|
- $where[] = [$k, 'LIKE', "%{$v}%"];
|
|
|
374
|
- break;
|
|
|
375
|
case 'NULL':
|
378
|
case 'NULL':
|
376
|
case 'IS NULL':
|
379
|
case 'IS NULL':
|
377
|
case 'NOT NULL':
|
380
|
case 'NOT NULL':
|