public/PandaX
1
0
Fork 0
mirror of https://gitee.com/XM-GO/PandaX.git synced 2026-04-23 02:48:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复设备创建数据时的sql注入隐患

Browse Source 
Signed-off-by: lixxxww <941403820@qq.com>
This commit is contained in:
lixxxww
2024-01-22 03:21:35 +00:00
committed by Gitee
parent d21e184024
commit cc320ca49d
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/tdengine/tdengine_table.go
View File

@@ -15,22 +15,25 @@ func (s *TdEngine) RunSql(sql string) (err error) {
}
// InsertDevice 数据入库
func (s *TdEngine) InsertDevice(deviceKey string, data map[string]any) (err error) {
func (s *TdEngine) InsertDevice(deviceKey string, data map[string]interface{}) (err error) {
if len(data) == 0 {
return
}
var (
field = []string{}
value = []string{}
value = []interface{}{}
placeholders = []string{}
)
for k, v := range data {
field = append(field, k)
value = append(value, "'"+kgo.KConv.ToStr(v)+"'")
value = append(value, v)
placeholders = append(placeholders, "?")
}
sql := "INSERT INTO ? (?) VALUES (?)"
_, err = s.db.Exec(sql, strings.ToLower(deviceKey), strings.Join(field, ","), strings.Join(value, ","))
sql := fmt.Sprintf("INSERT INTO %s (%s) VALUES (%s)", strings.ToLower(deviceKey), strings.Join(field, ","), strings.Join(placeholders, ","))
_, err = s.db.Exec(sql, value...)
return
}