From 5f3465124f1d38268d80596808cc515ac504a2df Mon Sep 17 00:00:00 2001
From: lixxxww <941403820@qq.com>
Date: Mon, 22 Jan 2024 10:23:00 +0000
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DSQL=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: lixxxww <941403820@qq.com>
---
 pkg/tdengine/tdengine_table.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkg/tdengine/tdengine_table.go b/pkg/tdengine/tdengine_table.go
index 5084c76..4643d85 100644
--- a/pkg/tdengine/tdengine_table.go
+++ b/pkg/tdengine/tdengine_table.go
@@ -22,17 +22,19 @@ func (s *TdEngine) InsertDevice(deviceKey string, data map[string]interface{}) e
 	}
 
 	var (
-		field = []string{}
-		value = []string{}
+		field        []string
+		value        []interface{}
+		placeholders []string
 	)
 
 	for k, v := range data {
 		field = append(field, k)
-		value = append(value, "'"+kgo.KConv.ToStr(v)+"'")
+		value = append(value, kgo.KConv.ToStr(v))
+		placeholders = append(placeholders, "?")
 	}
-	// 存在sql注入隐患，在之后的提交修复
-	sql := "INSERT INTO ? (?) VALUES (?)"
-	_, err := s.db.Exec(sql, strings.ToLower(deviceKey), strings.Join(field, ","), strings.Join(value, ","))
+
+	sql := fmt.Sprintf("INSERT INTO %s (%s) VALUES (%s)", strings.ToLower(deviceKey), strings.Join(field, ","), strings.Join(placeholders, ","))
+	_, err := s.db.Exec(sql, value...)
 
 	return err
 }