doomiwork 2.9.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/core/database/daoBase.js +1 -1
  2. package/core/database/mysqlbase.js +9 -2
  3. package/package.json +1 -1
  4. package/utilities/requestparser.js +13 -25
package/core/database/daoBase.js CHANGED
@@ -4,7 +4,7 @@
4
4
  * Author : Stephen.Shen
5
5
  */
6
6
 
7
- var dao = require('./mysqlbase');
7
+ const dao = require('./mysqlbase');
8
8
 
9
9
  class mysqlDao extends dao{
10
10
  /**
package/core/database/mysqlbase.js CHANGED
@@ -2,10 +2,10 @@
2
2
  * MySql 封装 (简单,应该尚未完善)
3
3
  */
4
4
  //var mysql = require('mysql');
5
- var apiResult = require('../actionresult');
5
+ const apiResult = require('../actionresult');
6
6
  const logHelper = require('doomi-helper').logHelper;
7
- //const appsetting = require('../../configuration/appsetting').getCurrentApp();
8
7
  const PoolManager = require('./poolmanager')
8
+ const mysql = require('mysql');
9
9
  class Database {
10
10
  /**
11
11
  *
@@ -17,6 +17,13 @@ class Database {
17
17
  //mysql.createPool(appsetting.getConnection(connectionstring || 'dev'));
18
18
  this.logger = logHelper.getInstance().getLogger("framework");
19
19
  }
20
+ /**
21
+ * 防Sql注入进行编码
22
+ * @param {*} value
23
+ */
24
+ escape(value){
25
+ return mysql.escape(value);
26
+ }
20
27
  /**
21
28
  * 不事务执行SQL命令
22
29
  * @param {*} sqlCommand
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "doomiwork",
3
- "version": "2.9.3",
3
+ "version": "3.0.0",
4
4
  "description": "doomisoft nodejs web framework",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/utilities/requestparser.js CHANGED
@@ -32,10 +32,11 @@ class RequestParser {
32
32
  let keyValue =utility.ifNull(keyParse.parseKeyValue(req,ele.substring(1,ele.length-1)),'');
33
33
  if(keyValue=='') {
34
34
  parseKeyWordIsNull = true;
35
- }else{
35
+ }else if (typeof(keyValue)==='string'){
36
36
  keyValue = mysql.escape(keyValue)
37
37
  keyValue = keyValue.substr(1, keyValue.length - 2)
38
38
  }
39
+
39
40
  sql=sql.replace(ele,keyValue);
40
41
  });
41
42
  if (!allowNull && parseKeyWordIsNull) return '';
@@ -58,9 +59,18 @@ class RequestParser {
58
59
  ///确认是否是需要导出Excel
59
60
  const export2Excel =(req.query.exportexcel+"").toLowerCase()==="true";
60
61
  req.page = req.query.page || req.body.page|| 1;
61
- req.pageSize = req.query.rows || req.body.rows || 2000;
62
+ req.pageSize = req.query.rows || req.body.rows || 100;
62
63
  req.sort = req.query.sort || req.body.sort;
63
-
64
+ //防止注入式Sql
65
+ if (isNaN(req.pageSize)){
66
+ req.pageSize = 30;
67
+ }
68
+ //防止注入式Sql
69
+ if (isNaN(req.page)) {
70
+ req.page = 1;
71
+ }
72
+ ///最大允许获取100条数据
73
+ req.pageSize = Math.min(req.pageSize,100);
64
74
  req.order =req.sort? utility.ifNull((req.body.order == null ? req.query.order : req.body.order), ""):'';
65
75
  if (dataKey) {
66
76
  req.dataConfig = dataconfig.getConfig(dataKey,cfgType);
@@ -107,28 +117,6 @@ class RequestParser {
107
117
  this.parseAndReplaceSql(req,countsql),
108
118
  req.searchCondition)+';'
109
119
  }
110
- // switch (req.sqltype) {
111
- // case 'sql':
112
- // ///客户端调用时是否传递一些 特殊的过滤方式
113
- // req.listSql =this.parseAndReplaceSql(req,req.dataConfig.list.sql) +
114
- // ' ' + req.searchCondition + clientFilter +
115
- // (utility.isNullOrEmpty(req.sort) ? '' : (' order by ' + (req.sort+' '+req.order))) +
116
- // (export2Excel?'':' limit ' + req.pageSize + ' OFFSET ' + (req.page - 1) * req.pageSize) +
117
- // /////在Sql中再放入获取总记录数的语句
118
- // ';SELECT FOUND_ROWS() AS total;';
119
- // if (req.dataConfig.list.countsql){
120
- // req.countSql = this.appendSearchCondition2Count(
121
- // this.parseAndReplaceSql(req,req.dataConfig.list.countsql),
122
- // req.searchCondition
123
- // )
124
- // req.listSql+=req.countSql +';';
125
- // }
126
- // break;
127
- // ////来自DAO对象的属性
128
- // ////一般较复杂的SQL写在DAO对象的constantSql属性中
129
- // case 'property':
130
- // break;
131
- // }
132
120
  }
133
121
  }
134
122
  }