Startseite Erkunden Hilfe
Registrieren Anmelden
Apq
/
maccms10
Mirror von https://github.com/magicblack/maccms10.git
1
0
Fork 0
Dateien Issues 0 Wiki
Quellcode durchsuchen

fix sql筛选修正与回传优化

magicblack vor 5 Monaten
Ursprung
a705796be6
Commit
4b5568685e
8 geänderte Dateien mit 44 neuen und 31 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 6 6
      application/api/controller/Actor.php
  2. 5 5
      application/api/controller/Art.php
  3. 2 2
      application/api/controller/Gbook.php
  4. 6 1
      application/api/controller/Link.php
  5. 8 0
      application/api/controller/PublicApi.php
  6. 5 5
      application/api/controller/User.php
  7. 6 6
      application/api/controller/Vod.php
  8. 6 6
      application/api/controller/Website.php

+ 6 - 6
application/api/controller/Actor.php
Datei anzeigen 

@@ -51,27 +51,27 @@ class Actor extends Base
 
         }
 
 
         if (isset($param['area']) && strlen($param['area']) > 0) {
 
-            $where['actor_area'] = ['like', '%' . format_sql_string($param['area']) . '%'];
 
+            $where['actor_area'] = ['like', '%' . $this->format_sql_string($param['area']) . '%'];
 
         }
 
 
         if (isset($param['letter']) && strlen($param['letter']) > 0) {
 
-            $where['actor_letter'] = ['like', '%' . format_sql_string($param['letter']) . '%'];
 
+            $where['actor_letter'] = ['like', '%' . $this->format_sql_string($param['letter']) . '%'];
 
         }
 
 
         if (isset($param['level']) && strlen($param['level']) > 0) {
 
-            $where['actor_level'] = ['like', '%' . format_sql_string($param['level']) . '%'];
 
+            $where['actor_level'] = ['like', '%' . $this->format_sql_string($param['level']) . '%'];
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['actor_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['actor_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         if (isset($param['blood']) && strlen($param['blood']) > 0) {
 
-            $where['actor_blood'] = ['like', '%' . format_sql_string($param['blood']) . '%'];
 
+            $where['actor_blood'] = ['like', '%' . $this->format_sql_string($param['blood']) . '%'];
 
         }
 
 
         if (isset($param['starsign']) && strlen($param['starsign']) > 0) {
 
-            $where['actor_starsign'] = ['like', '%' . format_sql_string($param['starsign']) . '%'];
 
+            $where['actor_starsign'] = ['like', '%' . $this->format_sql_string($param['starsign']) . '%'];
 
         }
 
 
         if (isset($param['time_end']) && isset($param['time_start'])) {

+ 5 - 5
application/api/controller/Art.php
Datei anzeigen 

@@ -60,23 +60,23 @@ class Art extends Base
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['art_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['art_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         if (isset($param['sub']) && strlen($param['sub']) > 0) {
 
-            $where['art_sub'] = ['like', '%' . format_sql_string($param['sub']) . '%'];
 
+            $where['art_sub'] = ['like', '%' . $this->format_sql_string($param['sub']) . '%'];
 
         }
 
 
         if (isset($param['blurb']) && strlen($param['blurb']) > 0) {
 
-            $where['art_blurb'] = ['like', '%' . format_sql_string($param['blurb']) . '%'];
 
+            $where['art_blurb'] = ['like', '%' . $this->format_sql_string($param['blurb']) . '%'];
 
         }
 
 
         if (isset($param['title']) && strlen($param['title']) > 0) {
 
-            $where['art_title'] = ['like', '%' . format_sql_string($param['title']) . '%'];
 
+            $where['art_title'] = ['like', '%' . $this->format_sql_string($param['title']) . '%'];
 
         }
 
 
         if (isset($param['content']) && strlen($param['content']) > 0) {
 
-            $where['art_content'] = ['like', '%' . format_sql_string($param['content']) . '%'];
 
+            $where['art_content'] = ['like', '%' . $this->format_sql_string($param['content']) . '%'];
 
         }
 
 
         // 数据获取

+ 2 - 2
application/api/controller/Gbook.php
Datei anzeigen 

@@ -59,11 +59,11 @@ class Gbook extends Base
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['gbook_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['gbook_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         if (isset($param['content']) && strlen($param['content']) > 0) {
 
-            $where['gbook_content'] = ['like', '%' . format_sql_string($param['content']) . '%'];
 
+            $where['gbook_content'] = ['like', '%' . $this->format_sql_string($param['content']) . '%'];
 
         }
 
 
         if (isset($param['time_end']) && isset($param['time_start'])) {

+ 6 - 1
application/api/controller/Link.php
Datei anzeigen 

@@ -56,7 +56,7 @@ class Link extends Base
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['link_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['link_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         if (isset($param['time_end']) && isset($param['time_start'])) {
 
@@ -78,6 +78,11 @@ class Link extends Base
 
                 $order = 'link_' . $param['orderby'] . " DESC";
 
             }
 
             $list = model('Link')->getListByCond($offset, $limit, $where, $order, $field, []);
 
+            foreach ($list as &$item) {
 
+                $item['link_name'] = htmlspecialchars($item['link_name'], ENT_QUOTES, 'UTF-8');
 
+                $item['link_logo'] = htmlspecialchars($item['link_logo'], ENT_QUOTES, 'UTF-8');
 
+                $item['link_url'] = htmlspecialchars($item['link_url'], ENT_QUOTES, 'UTF-8');
 
+            }
 
         }
 
         // 返回
 
         return json([

+ 8 - 0
application/api/controller/PublicApi.php
Datei anzeigen 

@@ -43,4 +43,12 @@ trait PublicApi
 
             exit;
 
         }
 
     }
 
+
 
+    protected function format_sql_string($str)
 
+    {
 
+        $str = preg_replace('/\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|WHERE|FROM|JOIN|INTO|VALUES|SET|AND|OR|NOT|EXISTS|HAVING|GROUP BY|ORDER BY|LIMIT|OFFSET)\b/i', '', $str);
 
+        $str = preg_replace('/[^\w\s\-\.]/', '', $str);
 
+        $str = trim(preg_replace('/\s+/', ' ', $str));
 
+        return $str;
 
+    }
 
 }

+ 5 - 5
application/api/controller/User.php
Datei anzeigen 

@@ -61,23 +61,23 @@ class User extends Base
 
         }
 
 
         if (isset($param['phone']) && strlen($param['phone']) > 0) {
 
-            $where['user_phone'] = ['like', '%' . format_sql_string($param['phone']) . '%'];
 
+            $where['user_phone'] = ['like', '%' . $this->format_sql_string($param['phone']) . '%'];
 
         }
 
 
         if (isset($param['qq']) && strlen($param['qq']) > 0) {
 
-            $where['user_qq'] = ['like', '%' . format_sql_string($param['qq']) . '%'];
 
+            $where['user_qq'] = ['like', '%' . $this->format_sql_string($param['qq']) . '%'];
 
         }
 
 
         if (isset($param['email']) && strlen($param['email']) > 0) {
 
-            $where['user_email'] = ['like', '%' . format_sql_string($param['email']) . '%'];
 
+            $where['user_email'] = ['like', '%' . $this->format_sql_string($param['email']) . '%'];
 
         }
 
 
         if (isset($param['nickname']) && strlen($param['nickname']) > 0) {
 
-            $where['user_nickname'] = ['like', '%' . format_sql_string($param['nickname']) . '%'];
 
+            $where['user_nickname'] = ['like', '%' . $this->format_sql_string($param['nickname']) . '%'];
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['user_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['user_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         // 数据获取

+ 6 - 6
application/api/controller/Vod.php
Datei anzeigen 

@@ -57,22 +57,22 @@ class Vod extends Base
 
             $where['vod_letter'] = $param['vod_letter'];
 
         }
 
         if (isset($param['vod_tag']) && strlen($param['vod_tag']) > 0) {
 
-            $where['vod_tag'] = ['like', '%' . format_sql_string($param['vod_tag']) . '%'];
 
+            $where['vod_tag'] = ['like', '%' . $this->format_sql_string($param['vod_tag']) . '%'];
 
         }
 
         if (isset($param['vod_name']) && strlen($param['vod_name']) > 0) {
 
-            $where['vod_name'] = ['like', '%' . format_sql_string($param['vod_name']) . '%'];
 
+            $where['vod_name'] = ['like', '%' . $this->format_sql_string($param['vod_name']) . '%'];
 
         }
 
         if (isset($param['vod_blurb']) && strlen($param['vod_blurb']) > 0) {
 
-            $where['vod_blurb'] = ['like', '%' . format_sql_string($param['vod_blurb']) . '%'];
 
+            $where['vod_blurb'] = ['like', '%' . $this->format_sql_string($param['vod_blurb']) . '%'];
 
         }
 
         if (isset($param['vod_class']) && strlen($param['vod_class']) > 0) {
 
-            $where['vod_class'] = ['like', '%' . format_sql_string($param['vod_class']) . '%'];
 
+            $where['vod_class'] = ['like', '%' . $this->format_sql_string($param['vod_class']) . '%'];
 
         }
 
         if (isset($param['vod_area']) && strlen($param['vod_area']) > 0) {
 
-            $where['vod_area'] = format_sql_string($param['vod_area']);
 
+            $where['vod_area'] = $this->format_sql_string($param['vod_area']);
 
         }
 
         if (isset($param['vod_year']) && strlen($param['vod_year']) > 0) {
 
-            $where['vod_year'] = format_sql_string($param['vod_year']);
 
+            $where['vod_year'] = $this->format_sql_string($param['vod_year']);
 
         }
 
         // 数据获取
 
         $total = model('Vod')->getCountByCond($where);

+ 6 - 6
application/api/controller/Website.php
Datei anzeigen 

@@ -55,15 +55,15 @@ class Website extends Base
 
         }
 
 
         if (isset($param['name']) && strlen($param['name']) > 0) {
 
-            $where['website_name'] = ['like', '%' . format_sql_string($param['name']) . '%'];
 
+            $where['website_name'] = ['like', '%' . $this->format_sql_string($param['name']) . '%'];
 
         }
 
 
         if (isset($param['sub']) && strlen($param['sub']) > 0) {
 
-            $where['website_sub'] = ['like', '%' . format_sql_string($param['sub']) . '%'];
 
+            $where['website_sub'] = ['like', '%' . $this->format_sql_string($param['sub']) . '%'];
 
         }
 
 
         if (isset($param['en']) && strlen($param['en']) > 0) {
 
-            $where['website_en'] = ['like', '%' . format_sql_string($param['en']) . '%'];
 
+            $where['website_en'] = ['like', '%' . $this->format_sql_string($param['en']) . '%'];
 
         }
 
 
         if (isset($param['letter']) && strlen($param['letter']) == 1) {
 
@@ -71,15 +71,15 @@ class Website extends Base
 
         }
 
 
         if (isset($param['area']) && strlen($param['area']) > 0) {
 
-            $where['website_area'] = ['like', '%' . format_sql_string($param['area']) . '%'];
 
+            $where['website_area'] = ['like', '%' . $this->format_sql_string($param['area']) . '%'];
 
         }
 
 
         if (isset($param['lang']) && strlen($param['lang']) > 0) {
 
-            $where['website_lang'] = ['like', '%' . format_sql_string($param['lang']) . '%'];
 
+            $where['website_lang'] = ['like', '%' . $this->format_sql_string($param['lang']) . '%'];
 
         }
 
 
         if (isset($param['tag']) && strlen($param['tag']) > 0) {
 
-            $where['website_tag'] = ['like', '%' . format_sql_string($param['tag']) . '%'];
 
+            $where['website_tag'] = ['like', '%' . $this->format_sql_string($param['tag']) . '%'];
 
         }
 
 
         if (isset($param['time_end']) && isset($param['time_start'])) {