From dfc4089cc17d5182227088d596940dbc9d718d50 Mon Sep 17 00:00:00 2001
From: junjun <junjie.xia@fit2cloud.com>
Date: Wed, 8 Apr 2026 14:31:56 +0800
Subject: [PATCH] fix: SQL Injection via Stacked Queries

---
 .../src/main/java/io/dataease/datasource/type/Mysql.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java
index 1752e04c64..4c50c30f8d 100644
--- a/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java
@@ -15,7 +15,7 @@ import java.util.List;
 public class Mysql extends DatasourceConfiguration {
     private String driver = "com.mysql.cj.jdbc.Driver";
     private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
-    private List<String> illegalParameters = Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
+    private List<String> illegalParameters = Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath", "allowMultiQueries");
     private List<String> showTableSqls = Arrays.asList("show tables");
 
     public String getJdbc() {
@@ -32,12 +32,12 @@ public class Mysql extends DatasourceConfiguration {
         }
         String jdbcUrl = "";
         if (StringUtils.isEmpty(extraParams.trim())) {
-            jdbcUrl =  "jdbc:mysql://HOSTNAME:PORT/DATABASE"
+            jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE"
                     .replace("HOSTNAME", getLHost().trim())
                     .replace("PORT", getLPort().toString().trim())
                     .replace("DATABASE", getDataBase().trim());
         } else {
-            jdbcUrl =  "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
+            jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
                     .replace("HOSTNAME", getLHost().trim())
                     .replace("PORT", getLPort().toString().trim())
                     .replace("DATABASE", getDataBase().trim())