jsl-questionnaire-base/src/main/java/com/qs/serve/common/util/JdbcUtil.java

package com.qs.serve.common.util;

import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;

import java.sql.*;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
 * 原生JDBC工具类
 * @Author JcYen
 * @Date 2021/6/4
 */
@Slf4j
public class JdbcUtil {

    private static final String[] FILTER_WORD = new String[]{"truncate","create","alter","eval","delete","sp_password"};

    /**
     * 执行SQL（为安全，拦截delete语句）
     * @param username
     * @param password
     * @param url
     * @param driverName
     * @param sql
     * @return
     */
    public static List<Map<String,Object>> query(String username, String password, String url, String driverName, String sql) {
        //检查SQL，防止SQL执行DDL语句
        doSqlFilter(sql);
        List<Map<String,Object>> list = new ArrayList();
        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName(driverName);
            conn = DriverManager.getConnection(url, username, password);
            stmt = conn.createStatement();
            log.debug("JDBC工具类 Preparing SQL: {}",url);
            rs = stmt.executeQuery(sql);
            ResultSetMetaData md = rs.getMetaData();
            int columnCount = md.getColumnCount();
            while (rs.next()) {
                Map<String,Object> rowData = new HashMap<>();
                for (int i = 1; i <= columnCount; i++) {
                    rowData.put(md.getColumnName(i), rs.getObject(i));
                }
                list.add(rowData);
            }
        } catch (ClassNotFoundException e) {
            log.warn(e.getMessage());
        } catch (SQLException throwables) {
            log.error(throwables.getMessage());
        }finally {
            if(rs!=null){
                try {
                    rs.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
            if (stmt!=null){
                try {
                    stmt.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
            if(conn!=null){
                try {
                    conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
            rs = null;
            stmt = null;
            conn = null;
        }
        return list;
    }

    private static void doSqlFilter(String sql){
        boolean unsafe = false;
        String[] parts = sql.split(" ");
        for (String part : parts) {
            if(unsafe){ break; }
            if(StringUtils.isEmpty(part)){
                continue;
            }
            part = part.trim();
            for (String filterWord : FILTER_WORD) {
                if(part.equalsIgnoreCase(filterWord)){
                    unsafe = true;
                    break;
                }
            }
        }
        if(unsafe){
            //AssertUtil.("非法SQL被拦截 ==> "+sql);
        }
    }

}
客户帐余 2 years ago			`package com.qs.serve.common.util;`

			`import lombok.extern.slf4j.Slf4j;`
			`import org.springframework.util.StringUtils;`

			`import java.sql.*;`
			`import java.util.ArrayList;`
			`import java.util.HashMap;`
			`import java.util.List;`
			`import java.util.Map;`

			`/**`
			`* 原生JDBC工具类`
			`* @Author JcYen`
			`* @Date 2021/6/4`
			`*/`
			`@Slf4j`
			`public class JdbcUtil {`

			`private static final String[] FILTER_WORD = new String[]{"truncate","create","alter","eval","delete","sp_password"};`

			`/**`
			`* 执行SQL（为安全，拦截delete语句）`
			`* @param username`
			`* @param password`
			`* @param url`
			`* @param driverName`
			`* @param sql`
			`* @return`
			`*/`
			`public static List<Map<String,Object>> query(String username, String password, String url, String driverName, String sql) {`
			`//检查SQL，防止SQL执行DDL语句`
			`doSqlFilter(sql);`
			`List<Map<String,Object>> list = new ArrayList();`
			`Connection conn = null;`
			`Statement stmt = null;`
			`ResultSet rs = null;`
			`try {`
			`Class.forName(driverName);`
			`conn = DriverManager.getConnection(url, username, password);`
			`stmt = conn.createStatement();`
			`log.debug("JDBC工具类 Preparing SQL: {}",url);`
			`rs = stmt.executeQuery(sql);`
			`ResultSetMetaData md = rs.getMetaData();`
			`int columnCount = md.getColumnCount();`
			`while (rs.next()) {`
			`Map<String,Object> rowData = new HashMap<>();`
			`for (int i = 1; i <= columnCount; i++) {`
			`rowData.put(md.getColumnName(i), rs.getObject(i));`
			`}`
			`list.add(rowData);`
			`}`
			`} catch (ClassNotFoundException e) {`
			`log.warn(e.getMessage());`
			`} catch (SQLException throwables) {`
			`log.error(throwables.getMessage());`
			`}finally {`
			`if(rs!=null){`
			`try {`
			`rs.close();`
			`} catch (SQLException e) {`
			`e.printStackTrace();`
			`}`
			`}`
			`if (stmt!=null){`
			`try {`
			`stmt.close();`
			`} catch (SQLException e) {`
			`e.printStackTrace();`
			`}`
			`}`
			`if(conn!=null){`
			`try {`
			`conn.close();`
			`} catch (SQLException e) {`
			`e.printStackTrace();`
			`}`
			`}`
			`rs = null;`
			`stmt = null;`
			`conn = null;`
			`}`
			`return list;`
			`}`

			`private static void doSqlFilter(String sql){`
			`boolean unsafe = false;`
			`String[] parts = sql.split(" ");`
			`for (String part : parts) {`
			`if(unsafe){ break; }`
			`if(StringUtils.isEmpty(part)){`
			`continue;`
			`}`
			`part = part.trim();`
			`for (String filterWord : FILTER_WORD) {`
			`if(part.equalsIgnoreCase(filterWord)){`
			`unsafe = true;`
			`break;`
			`}`
			`}`
			`}`
			`if(unsafe){`
			`//AssertUtil.("非法SQL被拦截 ==> "+sql);`
			`}`
			`}`

			`}`