增强安全：对 DELETE 和 PUT 强制加 LIMIT；简化包含选项的写法：解决 "key<>": "a" 这种包含字符串的格式报错 …

…Data truncation: Invalid JSON text，原来必须里面再用 "" 包装一次，JSON 中还得转义，现在直接写即可；
Tencent · Jan 30, 2021 · 6831cb6 · 6831cb6
1 parent cf1cca0
commit 6831cb6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/APIJSONORM/src/main/java/apijson/orm/AbstractObjectParser.java b/APIJSONORM/src/main/java/apijson/orm/AbstractObjectParser.java
@@ -650,7 +650,7 @@ public SQLConfig newSQLConfig(boolean isProcedure) throws Exception {
 	 */
 	@Override
 	public AbstractObjectParser setSQLConfig() throws Exception {
-		return setSQLConfig(1, 0, 0);
+		return setSQLConfig(RequestMethod.isQueryMethod(method) ? 1 : 0, 0, 0);
 	}
 
 	@Override
@@ -668,7 +668,7 @@ public AbstractObjectParser setSQLConfig(int count, int page, int position) thro
 				return this;
 			}
 		}
-		sqlConfig.setCount(count).setPage(page).setPosition(position);
+		sqlConfig.setCount(sqlConfig.getCount() <= 0 ? count : sqlConfig.getCount()).setPage(page).setPosition(position);
 
 		parser.onVerifyRole(sqlConfig);
 

diff --git a/APIJSONORM/src/main/java/apijson/orm/AbstractSQLConfig.java b/APIJSONORM/src/main/java/apijson/orm/AbstractSQLConfig.java
@@ -1284,11 +1284,11 @@ public String getLimitString() {
 	public static String getLimitString(int page, int count, boolean isTSQL) {
 		int offset = getOffset(page, count);
 
-		if (isTSQL) {
+		if (isTSQL) {  // OFFSET FECTH 中所有关键词都不可省略
 			return " OFFSET " + offset + " ROWS FETCH FIRST " + count + " ROWS ONLY";
 		}
 
-		return " LIMIT " + count + " OFFSET " + offset;
+		return " LIMIT " + count + (offset <= 0 ? "" : " OFFSET " + offset);  // DELETE, UPDATE 不支持 OFFSET
 	}
 
 	//WHERE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
@@ -2179,20 +2179,23 @@ public String getContainString(String key, Object[] childs, int type) throws Ill
 		String condition = "";
 		if (childs != null) {
 			for (int i = 0; i < childs.length; i++) {
-				if (childs[i] != null) {
-					if (childs[i] instanceof JSON) {
+				Object c = childs[i];
+				if (c != null) {
+					if (c instanceof JSON) {
 						throw new IllegalArgumentException(key + "<>:value 中value类型不能为JSON！");
 					}
 
 					condition += (i <= 0 ? "" : (Logic.isAnd(type) ? AND : OR));
 					if (isPostgreSQL()) {
-						condition += (getKey(key) + " @> " + getValue(newJSONArray(childs[i]))); //operator does not exist: jsonb @> character varying  "[" + childs[i] + "]"); 
+						condition += (getKey(key) + " @> " + getValue(newJSONArray(c))); //operator does not exist: jsonb @> character varying  "[" + c + "]"); 
 					}
 					else if (isOracle()) {
-						condition += ("json_textcontains(" + getKey(key) + ", '$', " + getValue(childs[i].toString()) + ")");
+						condition += ("json_textcontains(" + getKey(key) + ", '$', " + getValue(c.toString()) + ")");
 					}
 					else {
-						condition += ("json_contains(" + getKey(key) + ", " + getValue(childs[i].toString()) + ")");
+						boolean isNum = c instanceof Number;
+						String v = (isNum ? "" : "\"") + childs[i] + (isNum ? "" : "\"");
+						condition += ("json_contains(" + getKey(key) + ", " +  getValue(v) + ")");
 					}
 				}
 			}
@@ -2390,9 +2393,9 @@ public static String getSQL(AbstractSQLConfig config) throws Exception {
 		case POST:
 			return "INSERT INTO " + tablePath + config.getColumnString() + " VALUES" + config.getValuesString();
 		case PUT:
-			return "UPDATE " + tablePath + config.getSetString() + config.getWhereString(true);
+			return "UPDATE " + tablePath + config.getSetString() + config.getWhereString(true) + config.getLimitString();
 		case DELETE:
-			return "DELETE FROM " + tablePath + config.getWhereString(true);
+			return "DELETE FROM " + tablePath + config.getWhereString(true) + config.getLimitString();
 		default:
 			String explain = (config.isExplain() ? (config.isSQLServer() || config.isOracle() ? "SET STATISTICS PROFILE ON  " : "EXPLAIN ") : "");
 			if (config.isTest() && RequestMethod.isGetMethod(config.getMethod(), true)) {
@@ -2635,6 +2638,10 @@ public static SQLConfig newSQLConfig(RequestMethod method, String table, String
 				throw new NotExistException(TAG + ": newSQLConfig idIn instanceof List >> 去掉无效 id 后 newIdIn.isEmpty()");
 			}
 			idIn = newIdIn;
+
+			if (method == DELETE || method == PUT) {
+				config.setCount(newIdIn.size());
+			}
 		}
 
 		//对id和id{}处理，这两个一定会作为条件
@@ -2670,6 +2677,10 @@ else if (id instanceof Subquery) {}
 					throw new NotExistException(TAG + ": newSQLConfig  idIn != null && (((List<?>) idIn).contains(id) == false");
 				}
 			}
+
+			if (method == DELETE || method == PUT) {
+				config.setCount(1);
+			}
 		}