【优化】移除2个orderBy使用的sql组合方法参数，移除4个仓储基类的所有sql组合方法，全部使用参数化提交，防止出现可能存在的sql注入。

2025-12-06 19:13:26 +08:00 · 2024-01-17 20:02:06 +08:00
parent f16797adb5
commit a6e345a48b
15 changed files with 77 additions and 883 deletions
--- a/CoreCms.Net.Services/Shop/CoreCmsPagesServices.cs
+++ b/CoreCms.Net.Services/Shop/CoreCmsPagesServices.cs
@@ -197,21 +197,21 @@ namespace CoreCms.Net.Services
                                    var result = JArray.Parse(parameters["list"].ToString());
                                    var noticeIds = result.Select(ss => ((JObject)ss)["id"].ObjectToInt(0)).Where(noticeId => noticeId > 0).ToList();
                                    where = where.And(p => noticeIds.Contains(p.id));
-                                    if (noticeIds.Any())
-                                    {
-                                        noticeIdsStr = string.Join(",", noticeIdsStr);
-                                        //按照固定的序列id进行排序
-                                        if (AppSettingsConstVars.DbDbType == DbType.SqlServer.ToString())
-                                        {
-                                            orderBy = " CHARINDEX(RTRIM(CAST(id as NCHAR)),'" + noticeIdsStr + "') ";
-                                        }
-                                        else if (AppSettingsConstVars.DbDbType == DbType.MySql.ToString())
-                                        {
-                                            orderBy = " find_in_set(id,'" + noticeIdsStr + "') ";
-                                        }
-                                    }
+                                    //if (noticeIds.Any())
+                                    //{
+                                    //    noticeIdsStr = string.Join(",", noticeIdsStr);
+                                    //    //按照固定的序列id进行排序
+                                    //    if (AppSettingsConstVars.DbDbType == DbType.SqlServer.ToString())
+                                    //    {
+                                    //        orderBy = " CHARINDEX(RTRIM(CAST(id as NCHAR)),'" + noticeIdsStr + "') ";
+                                    //    }
+                                    //    else if (AppSettingsConstVars.DbDbType == DbType.MySql.ToString())
+                                    //    {
+                                    //        orderBy = " find_in_set(id,'" + noticeIdsStr + "') ";
+                                    //    }
+                                    //}
                                }
-                                var notices = await _noticeServices.QueryListByClauseAsync(where, orderBy);
+                                var notices = await _noticeServices.QueryListByClauseAsync(where, p => p.createTime, OrderByType.Desc);
                                if (notices != null && notices.Any())
                                {
                                    var result = JArray.FromObject(notices);