Startsida Utforska Hjälp
Logga in
huanghongbo
/
BrandCultivation
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

fix: 修复所有 IN 子句的 SQL 注入风险

- 用 bindparam(expanding=True) 替代字符串拼接
- 修复方法: get_cust_by_ids, get_shop_by_ids, get_product_by_ids, get_order_by_product_ids
- 改用 fetch_all 直接查询,跳过分页(结果集大小由输入列表决定)
Sherlock 2 dagar sedan
förälder
a8e9e502a3
incheckning
66f694e335
1 ändrade filer med 42 tillägg och 46 borttagningar
Unifierad Vy Visa Diff Statistik
  1. 42 46
      database/dao/mysql_dao.py

+ 42 - 46
database/dao/mysql_dao.py
Visa fil 

@@ -1,5 +1,5 @@
 
 from database import MySqlDatabaseHelper

 from database import MySqlDatabaseHelper

-from sqlalchemy import text

+from sqlalchemy import text, bindparam

 import pandas as pd

 import pandas as pd

 

 

 class MySqlDao:

 class MySqlDao:

@@ -106,72 +106,68 @@ class MySqlDao:
 
         """根据零售户列表查询其信息"""

         """根据零售户列表查询其信息"""

         if not cust_id_list:

         if not cust_id_list:

             return None

             return None

-        

-        cust_id_str = ",".join([f"'{cust_id}'" for cust_id in cust_id_list])

-        query = f"""

-            SELECT *

-            FROM {self._cust_tablename}

-            WHERE BA_CITY_ORG_CODE = :city_uuid

-            AND BB_RETAIL_CUSTOMER_CODE IN ({cust_id_str})

-        """

-        params = {"city_uuid": city_uuid}

-        data = self.db_helper.load_data_with_page(query, params)

-        

+

+        query = text(f"""

+        SELECT *

+        FROM {self._cust_tablename}

+        WHERE BA_CITY_ORG_CODE = :city_uuid

+        AND BB_RETAIL_CUSTOMER_CODE IN :ids

+    """).bindparams(bindparam("ids", expanding=True))

+        params = {"city_uuid": city_uuid, "ids": list(cust_id_list)}

+        data = pd.DataFrame(self.db_helper.fetch_all(query, params))

+

         return data

         return data

     

     

     def get_shop_by_ids(self, city_uuid, cust_id_list):

     def get_shop_by_ids(self, city_uuid, cust_id_list):

         """根据零售户列表查询其信息"""

         """根据零售户列表查询其信息"""

         if not cust_id_list:

         if not cust_id_list:

             return None

             return None

-        

-        cust_id_str = ",".join([f"'{cust_id}'" for cust_id in cust_id_list])

-        query = f"""

-            SELECT *

-            FROM {self._shopping_tablename}

-            WHERE city_uuid = :city_uuid

-            AND cust_code IN ({cust_id_str})

-        """

-        params = {"city_uuid": city_uuid}

-        data = self.db_helper.load_data_with_page(query, params)

-        

+

+        query = text(f"""

+        SELECT *

+        FROM {self._shopping_tablename}

+        WHERE city_uuid = :city_uuid

+        AND cust_code IN :ids

+    """).bindparams(bindparam("ids", expanding=True))

+        params = {"city_uuid": city_uuid, "ids": list(cust_id_list)}

+        data = pd.DataFrame(self.db_helper.fetch_all(query, params))

+

         return data

         return data

     

     

     def get_product_by_ids(self, city_uuid, product_id_list):

     def get_product_by_ids(self, city_uuid, product_id_list):

         """根据product_code列表查询其信息"""

         """根据product_code列表查询其信息"""

         if not product_id_list:

         if not product_id_list:

             return None

             return None

-        

-        product_id_str = ",".join([f"'{product_id}'" for product_id in product_id_list])

-        query = f"""

-            SELECT *

-            FROM {self._product_tablename}

-            WHERE city_uuid = :city_uuid

-            AND product_code IN ({product_id_str})

-        """

-        params = {"city_uuid": city_uuid}

-        data = self.db_helper.load_data_with_page(query, params)

-        

+

+        query = text(f"""

+        SELECT *

+        FROM {self._product_tablename}

+        WHERE city_uuid = :city_uuid

+        AND product_code IN :ids

+    """).bindparams(bindparam("ids", expanding=True))

+        params = {"city_uuid": city_uuid, "ids": list(product_id_list)}

+        data = pd.DataFrame(self.db_helper.fetch_all(query, params))

+

         return data

         return data

     

     

     def get_order_by_product_ids(self, city_uuid, product_ids):

     def get_order_by_product_ids(self, city_uuid, product_ids):

         """获取指定香烟列表的所有售卖记录"""

         """获取指定香烟列表的所有售卖记录"""

         if not product_ids:

         if not product_ids:

             return None

             return None

-        

-        product_ids_str = ",".join([f"'{product_code}'" for product_code in product_ids])

-        query = f"""

-            SELECT *

-            FROM {self._order_tablename}

-            WHERE city_uuid = :city_uuid

-            AND product_code IN ({product_ids_str})

-        """

-        params = {"city_uuid": city_uuid}

-        data = self.db_helper.load_data_with_page(query, params)

-        

+

+        query = text(f"""

+        SELECT *

+        FROM {self._order_tablename}

+        WHERE city_uuid = :city_uuid

+        AND product_code IN :ids

+    """).bindparams(bindparam("ids", expanding=True))

+        params = {"city_uuid": city_uuid, "ids": list(product_ids)}

+        data = pd.DataFrame(self.db_helper.fetch_all(query, params))

+

         cust_list = self.get_cust_list(city_uuid)

         cust_list = self.get_cust_list(city_uuid)

         cust_index = cust_list.set_index("BB_RETAIL_CUSTOMER_CODE")

         cust_index = cust_list.set_index("BB_RETAIL_CUSTOMER_CODE")

         data = data.join(cust_index, on="cust_code", how="inner")

         data = data.join(cust_index, on="cust_code", how="inner")

-        

+

         return data

         return data

     

     

     def get_order_by_product(self, city_uuid, product_id):

     def get_order_by_product(self, city_uuid, product_id):