gameui/webp
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

防止注入参数

Browse Source
This commit is contained in:
satori
2024-11-14 13:24:47 +08:00
parent e41c20471b
commit 8c34739ccd
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/graphql.go
View File

@@ -529,10 +529,12 @@ func NewSchema(config Config) (graphql.Schema, error) {
).As("row_num")) ).As("row_num"))
} }
// 如果没有外部排序则使用指定排序 // 如果没有外部排序则使用指定排序(正则sort只能是字母数字下划下)
if p.Args["text"] == nil && p.Args["similar"] == nil { if p.Args["text"] == nil && p.Args["similar"] == nil {
sort := regexp.MustCompile(`[^a-zA-Z0-9_]`).ReplaceAllString(p.Args["sort"].(string), "")
order := regexp.MustCompile(`[^a-zA-Z0-9_]`).ReplaceAllString(p.Args["order"].(string), "")
query = query.Select("web_images.id", goqu.L( query = query.Select("web_images.id", goqu.L(
fmt.Sprintf("ROW_NUMBER() OVER(ORDER BY web_images.%s %s)", p.Args["sort"], p.Args["order"]), fmt.Sprintf("ROW_NUMBER() OVER(ORDER BY web_images.%s %s)", sort, order),
).As("row_num")) ).As("row_num"))
} }