【优化】移除2个orderBy使用的sql组合方法参数，移除4个仓储基类的所有sql组合方法，全部使用参数化提交，防止出现可能存在的sql注入。

2025-12-06 18:53:25 +08:00 · 2024-01-17 20:02:06 +08:00
parent f16797adb5
commit a6e345a48b
15 changed files with 77 additions and 883 deletions
--- a/CoreCms.Net.Repository/Good/CoreCmsGoodsRepository.cs
+++ b/CoreCms.Net.Repository/Good/CoreCmsGoodsRepository.cs
@@ -193,7 +193,7 @@ namespace CoreCms.Net.Repository
                        obj.points = p.points;
                        obj.isDefalut = p.isDefalut;
                        obj.isDel = false;
-                        obj.images=p.images;
+                        obj.images = p.images;
                        products.Add(obj);

                        var pd = new CoreCmsProductsDistribution();
@@ -1671,13 +1671,11 @@ namespace CoreCms.Net.Repository
        ///     重写根据条件及自定义排序查询分页数据（返回DTO）
        /// </summary>
        /// <param name="predicate"></param>
-        /// <param name="orderBy"></param>
        /// <param name="pageIndex">当前页面索引</param>
        /// <param name="pageSize">分布大小</param>
        /// <param name="blUseNoLock">是否使用WITH(NOLOCK)</param>
        /// <returns></returns>
-        public async Task<IPageList<GoodListDTO>> QueryPageByDTOAsync(Expression<Func<GoodListDTO, bool>> predicate, string orderBy = "",
-            int pageIndex = 1, int pageSize = 20, bool blUseNoLock = false)
+        public async Task<IPageList<GoodListDTO>> QueryPageByDTOAsync(Expression<Func<GoodListDTO, bool>> predicate, int pageIndex = 1, int pageSize = 20, bool blUseNoLock = false)
        {
            RefAsync<int> totalCount = 0;
            List<GoodListDTO> page;
@@ -1720,7 +1718,7 @@ namespace CoreCms.Net.Repository
                    .With(SqlWith.NoLock)
                    .MergeTable()
                    .Where(predicate)
-                    .OrderBy(orderBy)
+                    .OrderBy(it => SqlFunc.Desc(it.isRecommend)).OrderBy(it => SqlFunc.Desc(it.isHot))
                    .ToPageListAsync(pageIndex, pageSize, totalCount);
            }
            else
@@ -1761,7 +1759,7 @@ namespace CoreCms.Net.Repository
                    })
                    .MergeTable()
                    .Where(predicate)
-                    .OrderBy(orderBy)
+                    .OrderBy(it => SqlFunc.Desc(it.isRecommend)).OrderBy(it => SqlFunc.Desc(it.isHot))
                    .ToPageListAsync(pageIndex, pageSize, totalCount);
            }
            var list = new PageList<GoodListDTO>(page, pageIndex, pageSize, totalCount);
@@ -1783,7 +1781,7 @@ namespace CoreCms.Net.Repository
        /// <param name="pageSize">分布大小</param>
        /// <param name="blUseNoLock">是否使用WITH(NOLOCK)</param>
        /// <returns></returns>
-        public async Task<IPageList<CoreCmsGoods>> QueryAgentGoodsPageAsync(Expression<Func<CoreCmsGoods, bool>> predicate, string orderBy = "",
+        public async Task<IPageList<CoreCmsGoods>> QueryAgentGoodsPageAsync(Expression<Func<CoreCmsGoods, bool>> predicate,
            int pageIndex = 1, int pageSize = 20, bool blUseNoLock = false)
        {
            RefAsync<int> totalCount = 0;
@@ -1840,7 +1838,7 @@ namespace CoreCms.Net.Repository
                    .With(SqlWith.NoLock)
                    .MergeTable()
                    .Where(predicate)
-                    .OrderBy(orderBy)
+                    .OrderBy(it => SqlFunc.Desc(it.isRecommend)).OrderBy(it => SqlFunc.Desc(it.isHot))
                    .ToPageListAsync(pageIndex, pageSize, totalCount);
            }
            else
@@ -1894,7 +1892,7 @@ namespace CoreCms.Net.Repository
                    })
                    .MergeTable()
                    .Where(predicate)
-                    .OrderBy(orderBy)
+                    .OrderBy(it => SqlFunc.Desc(it.isRecommend)).OrderBy(it => SqlFunc.Desc(it.isHot))
                    .ToPageListAsync(pageIndex, pageSize, totalCount);
            }
            var list = new PageList<CoreCmsGoods>(page, pageIndex, pageSize, totalCount);