minghui/mh_server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1、修改GetGameCardSearch接口sql注入问题;

Browse Source
This commit is contained in:
chenlin 2025-07-17 16:11:37 +08:00
parent 48e0cd78d4
commit 70750755d3
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
model/game_card.go
View File

@ -560,17 +560,16 @@ func GetGameCardSearch(name string, page, pageSize int, storeId uint32) ([]GameC
// sqlStore = fmt.Sprintf(" AND id IN (%s) ", strings.Join(gameCardIds, ",")) // sqlStore = fmt.Sprintf(" AND id IN (%s) ", strings.Join(gameCardIds, ","))
//} //}
countSql := "SELECT COUNT(id) AS count FROM game_card WHERE status=1 AND game_card.name LIKE '%" + name + "%'" likeName := "%" + name + "%"
err := DB.Raw(countSql).Scan(&cardCount).Error countSql := "SELECT COUNT(id) AS count FROM game_card WHERE status=1 AND game_card.name LIKE ?"
err := DB.Raw(countSql, likeName).Scan(&cardCount).Error
if err != nil { if err != nil {
logger.Error("err:", err) logger.Error("err:", err)
return cards, 0, err return cards, 0, err
} }
sql := "SELECT game_card.* FROM game_card WHERE status=1 AND game_card.name LIKE '%" + name + "%'" sql := "SELECT game_card.* FROM game_card WHERE status=1 AND game_card.name LIKE ?"
//sql := "SELECT game_card.* FROM game_card WHERE status=1 AND game_card.name LIKE '%" + name + "%'" + sqlStore + err = DB.Raw(sql, likeName).Scan(&cards).Error
// fmt.Sprintf(" LIMIT %d,%d;", page*pageSize, pageSize)
err = DB.Raw(sql).Scan(&cards).Error
if err != nil { if err != nil {
logger.Error("err:", err) logger.Error("err:", err)
return cards, 0, err return cards, 0, err