Beispiel #1
0
        public ActionResult SimpleQuery()
        {
            string startwhere = string.Empty;
            string report     = Request.Form["report"];

            CommondController commond  = new CommondController(_db);
            string            sqlValue = commond.GetSqlValue(report, isFillter: false); /*TODO: isFillter:false SimpleQuery*/

            if (sqlValue.IsEmpty())
            {
                return(Content("no"));
            }
            string[]  keys = Request.Form.AllKeys;
            MYSQLInit init = new MYSQLInit();

            try
            {
                SimpleSqlInjectMethod(init, sqlValue, keys);

                int rowEf = commond.GetCount(sqlValue + init.GetCurrentSQL(), init.GetCurrentPara());
                if (0 == rowEf)
                {
                    return(Content("no"));
                }
            }
            catch (Exception ex)
            {
                BugLog.Write(ex.ToString());
                return(Content("error"));
            }

            Session["SqlValue"] = GetSimpleSql(report);
            return(Content("ok"));
        }
Beispiel #2
0
        public static MYSQLInit Insert(this MYSQLInit @this, string tableName, List <string> fields, List <MySqlParameter> para)
        {
            if (fields.Count != para.Count)
            {
                throw new ArgumentOutOfRangeException("字段列表跟值列表长度不一致");
            }

            @this.Builder.Insert(tableName, fields);

            @this.ParaList = para;

            return(@this);
        }
Beispiel #3
0
        public static MYSQLInit Insert(this MYSQLInit @this, string tableName, List <string> fields, List <object> values)
        {
            if (fields.Count != values.Count)
            {
                throw new ArgumentOutOfRangeException("字段列表跟值列表长度不一致");
            }
            @this.Builder.Insert(tableName, fields);
            int Index = 0;

            foreach (var item in fields)
            {
                @this.ParaList.Add(new MySqlParameter(item, values[Index++]));
            }

            return(@this);
        }
Beispiel #4
0
        public ActionResult ETaoPhoto(string Id /*= "040427cf-0cb9-4ef2-8379-5b63df38e98a"*/)
        {
            if (string.IsNullOrEmpty(Id))
            {
                return(View());
            }
            MYSQLInit Sql = new MYSQLInit();

            Sql.Append("select  idCardImg1 as 'F_idCard',idCardImg2 as 'B_idCard' ,license as 'License' , storeImg1 as 'Store_1', storeImg2  as 'Store_2' ,storeImg3 as 'Store_3' ,`name` ,phone,authenticId from etao_authentic");
            Sql.Where("authenticId =", Id);

            DataTable T = new CommondController(_db).GetDataTableWithParam(Sql.GetCurrentSQL(), Sql.GetCurrentPara());

            ETaoPhoto model = T.ConvertTo <ETaoPhoto>().FirstOrDefault();

            return(View(model));
        }
Beispiel #5
0
 public static MYSQLInit Update(this MYSQLInit @this, string name, string value)
 {
     @this.Builder.Set(name, value, @this.ParaList);
     return(@this);
 }
Beispiel #6
0
 public static MYSQLInit Limit(this MYSQLInit @this, string pageIndex, string pageSize)
 {
     @this.Builder.Limit(pageIndex, pageSize, @this.ParaList);
     return(@this);
 }
Beispiel #7
0
 public static MYSQLInit OrderBy(this MYSQLInit @this, string name, string type)
 {
     @this.Builder.OrderBy(name, type, @this.ParaList);
     return(@this);
 }
Beispiel #8
0
 public static MYSQLInit And(this MYSQLInit @this, string sql, object value, MySqlDbType dbType)
 {
     @this.Builder.And(sql, value, dbType, @this.ParaList);
     return(@this);
 }
Beispiel #9
0
 public static MYSQLInit Where(this MYSQLInit @this, string sql, object value)
 {
     @this.Builder.Where(sql, value, @this.ParaList);
     return(@this);
 }
Beispiel #10
0
 public static MYSQLInit Append(this MYSQLInit @this, string sql)
 {
     @this.Builder.AppendFormat(" {0} ", sql);
     return(@this);
 }
Beispiel #11
0
        private void SimpleSqlInjectMethod(MYSQLInit init, string sqlValue, string[] keys)
        {
            #region 遍历表单值  排除report 跟订单状态
            foreach (string name in keys)
            {
                if ("report" == name || "订单状态" == name || "__RequestVerificationToken" == name)
                {
                    continue;
                }
                if (name.Contains("日期1") && Request.Form[name].IsNotEmpty())
                {
                    var value = sqlValue.GetFieldSqlByName(name.Substring(0, name.Length - 1));
                    init.And(value + ">", Request.Form[name]);
                    continue;
                }
                if (name.Contains("日期2") && Request.Form[name].IsNotEmpty())
                {
                    DateTime endTime = DateTime.Parse(Request.Form[name]).AddDays(1);
                    var      dateStr = endTime.ToString("yyyy-MM-dd");
                    var      value   = sqlValue.GetFieldSqlByName(name.Substring(0, name.Length - 1));
                    init.And(value + "<", dateStr);
                    continue;
                }
                if (Request.Form[name].IsNotEmpty())
                {
                    var value = sqlValue.GetFieldSqlByName(name);
                    init.And(value + " like ", "%" + Request.Form[name] + "%");
                }
            }
            #endregion
            #region 遍历订单状态

            if (Request.Form["订单状态"].IsNotEmpty())   // keys.toStringMergeChar(',').Contains("订单状态")
            {
                var listValue  = Request.Form["订单状态"].toStringArray();
                var value      = sqlValue.GetFieldSqlByName("订单状态");
                int beginIndex = 500;
                init.Builder.AppendFormat(" and {0} in (", value);
                foreach (var item in listValue)
                {
                    var indexStr = (beginIndex++).ToString();
                    init.Builder.Append("?Para" + indexStr + ",");
                    init.ParaList.Add(new MySqlParameter("?Para" + indexStr, item));
                }
                init.Builder.Length = init.Builder.Length - 1;  // trim end , (去掉最后的 逗号)
                init.Builder.Append(")");
            }

            #endregion

            if (sqlValue.IndexOf("where", StringComparison.OrdinalIgnoreCase) < 0)
            {
                if (init.Builder.Length > 0)
                {
                    if (init.Builder.ToString().IndexOf("and", StringComparison.OrdinalIgnoreCase) > -1)
                    {
                        //trimStart and
                        init.Builder.Remove(init.Builder.ToString().IndexOf("and", StringComparison.OrdinalIgnoreCase), 3).Insert(0, " where ");
                    }
                }
            }
        }
Beispiel #12
0
        /// <summary>
        /// 解决注入 sql 攻击  高级搜索文本输入
        /// <autor>郑万庚</autor>
        /// </summary>
        /// <param name="sqlValue"></param>
        /// <param name="dic"></param>
        /// <param name="init"></param>
        private void SqlInjectMethod(string sqlValue, Dictionary <string, FormValue> dic, MYSQLInit init)
        {
            FormValue formValue = null;

            string[] intStr    = { "System.Single", "System.Double", "System.SByte", "System.Int32", "System.Int64", "System.UInt64", "System.Int16", "System.Int", "System.Decimal", "System.Single", "System.Double" };
            string   stringStr = "System.String";
            string   dateStr   = "System.DateTime";

            foreach (KeyValuePair <string, FormValue> item in dic)
            {
                var sqlField = "";
                formValue = item.Value;
                string key = item.Key;
                #region 时间
                if (key.Contains(dateStr))
                {
                    sqlField = formValue.DateExit ? sqlValue.GetFieldSqlByName(formValue.name) : (formValue.SecondData ? sqlValue.GetFieldSqlByName(formValue.name) : formValue.name);
                    if (formValue.DateExit && formValue.SecondData)
                    {
                        init.And(sqlField + " >", formValue.value);
                        init.And(sqlField + " <", formValue.maxDataTime);
                    }
                    else
                    {
                        if (formValue.DateExit)
                        {
                            init.And(sqlField + " >", formValue.value);
                        }
                        else if (formValue.SecondData)
                        {
                            init.And(sqlField + " <", formValue.maxDataTime);
                        }
                    }
                    continue;
                }
                #endregion

                #region 字符串
                if (key.Contains(stringStr))
                {
                    sqlField = formValue.DateExit ? sqlValue.GetFieldSqlByName(formValue.name) : formValue.name;
                    if (formValue.DateExit)
                    {
                        init.And(sqlField + " like", "%" + formValue.value + "%");
                    }
                    continue;
                }
                #endregion

                #region 数字
                if (intStr.InArray(key))
                {
                    sqlField = formValue.DateExit ? sqlValue.GetFieldSqlByName(formValue.name) : formValue.name;
                    if (formValue.DateExit)
                    {
                        if (formValue.operatorstr.IsNotEmpty())
                        {
                            init.And(sqlField + formValue.operatorstr, formValue.value);
                        }
                        else
                        {
                            init.And(sqlField + " like", "%" + formValue.value + "%");
                        }
                    }
                    continue;
                }
                #endregion
            }

            if (sqlValue.IndexOf("where", StringComparison.OrdinalIgnoreCase) < 0)
            {
                if (init.Builder.Length > 0)
                {
                    if (init.Builder.ToString().IndexOf("and", StringComparison.OrdinalIgnoreCase) > -1)
                    {
                        //trimStart and
                        init.Builder.Remove(init.Builder.ToString().IndexOf("and", StringComparison.OrdinalIgnoreCase), 3).Insert(0, " where ");
                    }
                }
            }
        }
Beispiel #13
0
        public ActionResult AdvancedQuery()
        {
            //高级查询 重新查询所有 (重要)
            string typeInt = "System.Int32System.Int64System.UInt64System.Int16System.IntSystem.DecimalSystem.SingleSystem.DoubleSystem.SByteSystem.Decima";
            string report  = Request.Form["report"];

            string[] ziduan  = Request.Form["ziduan"].Split(new char[] { ',' });
            string[] leixing = Request.Form["leixing"].Split(new char[] { ',' });
            Dictionary <string, FormValue> dic = new Dictionary <string, FormValue>();
            int i = 0;

            foreach (var item in ziduan)
            {
                FormValue fv = new FormValue {
                    name = ziduan[i], DateExit = true, value = Request.Form[ziduan[i]]
                };

                if (leixing[i] == "System.DateTime")
                {
                    #region System.DateTime
                    if (Request.Form[ziduan[i]].Trim() == string.Empty)
                    {
                        fv.DateExit = false;
                    }

                    if ((Request.Form[ziduan[i] + ziduan[i]]).Trim() == string.Empty)
                    {
                        fv.SecondData = false;
                    }
                    else
                    {
                        fv.SecondData = true;
                        string date = Request.Form[ziduan[i] + ziduan[i]];
                        fv.maxDataTime = DateTime.Parse(date).AddDays(1).ToString();
                    }
                    #endregion
                }
                else if (typeInt.Contains(leixing[i]))
                {
                    //存在运算符
                    if (Request.Form[ziduan[i]].Trim() == string.Empty)
                    {
                        fv.DateExit = false;
                    }
                    else
                    {
                        fv.operatorstr = Request.Form[ziduan[i] + "selectname"];
                    }
                }
                else
                {
                    if (Request.Form[ziduan[i]].Trim() == string.Empty)
                    {
                        fv.DateExit = false;
                    }
                }

                dic.Add(leixing[i] + i.ToString(), fv);
                i++;
            }
            CommondController commond = new CommondController(_db);
            string            sql     = commond.GetSqlValue(report, isFillter: false); /*TODO: isFillter:false AdvancedQuery*/

            if (sql.IsNotEmpty())
            {
                //old method
                //处理sql拼接
                //sqlString = GetSqlValue(sql, dic, Request.Form["title"]); //getSqlByDict(sql, dic);
                //var count=commond.GetCount(sqlString);
                //if (0 == count)
                //return Content("no");
                ////保存当前多条件查询的字符串
                //Session["SqlValue"] = sqlString;
                //return Content("ok");

                MYSQLInit sqlInit = new MYSQLInit();
                SqlInjectMethod(sql, dic, sqlInit);
                var listcount = commond.GetCount(sql + sqlInit.GetCurrentSQL(), sqlInit.GetCurrentPara());
                if (0 == listcount)
                {
                    return(Content("no"));
                }
                else
                {
                    Session["SqlValue"] = GetSqlValue(sql, dic, Request.Form["title"]);
                    return(Content("ok"));
                }
            }
            else
            {
                return(Content("no"));
            }
        }