改进聚合查询安全性

liu21st · liu21st · commit 43d3d95d2704 · 2018-10-18T18:17:50.000+08:00
diff --git a/ThinkPHP/Library/Think/Db/Driver.class.php b/ThinkPHP/Library/Think/Db/Driver.class.php
@@ -448,12 +448,12 @@ protected function bindParam($name, $value)
 
     /**
      * 字段和表名处理
-     * @access protected
+     * @access public
      * @param string $key
      * @param bool   $strict
      * @return string
      */
-    protected function parseKey($key, $strict = false)
+    public function parseKey($key, $strict = false)
     {
         return $key;
     }
diff --git a/ThinkPHP/Library/Think/Db/Driver/Mysql.class.php b/ThinkPHP/Library/Think/Db/Driver/Mysql.class.php
@@ -94,14 +94,19 @@ public function getTables($dbName = '')
 
     /**
      * 字段和表名处理
-     * @access protected
+     * @access public
      * @param string $key
      * @param bool   $strict
      * @return string
      */
-    protected function parseKey($key, $strict = false)
+    public function parseKey($key, $strict = false)
     {
         $key = trim($key);
+
+        if ($strict && !preg_match('/^[\w\.\*]+$/', $key)) {
+            E('not support data:' . $key);
+        }
+
         if ($strict || (!is_numeric($key) && !preg_match('/[,\'\"\*\(\)`.\s]/', $key))) {
             $key = '`' . $key . '`';
         }
diff --git a/ThinkPHP/Library/Think/Db/Driver/Sqlsrv.class.php b/ThinkPHP/Library/Think/Db/Driver/Sqlsrv.class.php
@@ -105,14 +105,19 @@ protected function parseOrder($order)
 
     /**
      * 字段和表名处理
-     * @access protected
+     * @access public
      * @param string $key
      * @param bool   $strict
      * @return string
      */
-    protected function parseKey($key, $strict = false)
+    public function parseKey($key, $strict = false)
     {
         $key = trim($key);
+
+        if ($strict && !preg_match('/^[\w\.\*]+$/', $key)) {
+            E('not support data:' . $key);
+        }
+
         if ($strict || (!is_numeric($key) && !preg_match('/[,\'\"\*\(\)\[.\s]/', $key))) {
             $key = '[' . $key . ']';
         }
diff --git a/ThinkPHP/Library/Think/Model.class.php b/ThinkPHP/Library/Think/Model.class.php
@@ -239,7 +239,7 @@ public function __call($method, $args)
         } elseif (in_array(strtolower($method), array('count', 'sum', 'min', 'max', 'avg'), true)) {
             // 统计查询的实现
             $field = isset($args[0]) ? $args[0] : '*';
-            return $this->getField(strtoupper($method) . '(' . $field . ') AS tp_' . $method);
+            return $this->getField(strtoupper($method) . '(' . $this->db->parseKey($field, true) . ') AS tp_' . $method);
         } elseif (strtolower(substr($method, 0, 5)) == 'getby') {
             // 根据某个字段获取记录
             $field         = parse_name(substr($method, 5));

Original file line number	Diff line number	Diff line change
`@@ -448,12 +448,12 @@ protected function bindParam($name, $value)`
`448`	`448`
`449`	`449`	`/**`
`450`	`450`	`* 字段和表名处理`
`451`		`- * @access protected`
	`451`	`+ * @access public`
`452`	`452`	`* @param string $key`
`453`	`453`	`* @param bool $strict`
`454`	`454`	`* @return string`
`455`	`455`	`*/`
`456`		`- protected function parseKey($key, $strict = false)`
	`456`	`+ public function parseKey($key, $strict = false)`
`457`	`457`	`{`
`458`	`458`	`return $key;`
`459`	`459`	`}`