@@ -66,6 +66,19 @@ public object ExecFunc(string funcname, object[] param, Type[] types)
6666return result ;
6767}
6868
69+ private string ToSql ( string subtable , int page , int count , int query , string json )
70+ {
71+ JObject values = JObject . Parse ( json ) ;
72+ page = values [ "page" ] == null ? page : int . Parse ( values [ "page" ] . ToString ( ) ) ;
73+ count = values [ "count" ] == null ? count : int . Parse ( values [ "count" ] . ToString ( ) ) ;
74+ query = values [ "query" ] == null ? query : int . Parse ( values [ "query" ] . ToString ( ) ) ;
75+ values . Remove ( "page" ) ;
76+ values . Remove ( "count" ) ;
77+ subtable = _tableMapper . GetTableName ( subtable ) ;
78+ var tb = sugarQueryable ( subtable , "*" , values , null ) ;
79+ var xx = tb . Skip ( ( page - 1 ) * count ) . Take ( 10 ) . ToSql ( ) ;
80+ return xx . Key ;
81+ }
6982/// <summary>
7083///
7184/// </summary>
@@ -187,8 +200,9 @@ public JObject Query(string queryJson)
187200/// 单表查询
188201/// </summary>
189202/// <param name="queryObj"></param>
203+ /// <param name="nodeName">返回数据的节点名称 默认为 infos</param>
190204/// <returns></returns>
191- public JObject QuerySingle ( JObject queryObj )
205+ public JObject QuerySingle ( JObject queryObj , string nodeName = "infos" )
192206{
193207JObject resultObj = new JObject ( ) ;
194208resultObj . Add ( "code" , "200" ) ;
@@ -202,7 +216,7 @@ public JObject QuerySingle(JObject queryObj)
202216
203217if ( key . EndsWith ( "[]" ) )
204218{
205- total = QuerySingleList ( resultObj , item , "Infos" ) ;
219+ total = QuerySingleList ( resultObj , item , nodeName ) ;
206220}
207221else if ( key . Equals ( "func" ) )
208222{
@@ -222,6 +236,25 @@ public JObject QuerySingle(JObject queryObj)
222236return resultObj ;
223237}
224238
239+ /// <summary>
240+ /// 获取查询语句
241+ /// </summary>
242+ /// <param name="queryObj"></param>
243+ /// <returns></returns>
244+ public string ToSql ( JObject queryObj )
245+ {
246+ foreach ( var item in queryObj )
247+ {
248+ string key = item . Key . Trim ( ) ;
249+
250+ if ( key . EndsWith ( "[]" ) )
251+ {
252+ return ToSql ( item ) ;
253+ }
254+ }
255+ return string . Empty ;
256+ }
257+
225258/// <summary>
226259/// 解析并查询
227260/// </summary>
@@ -284,6 +317,7 @@ private int QuerySingleList(JObject resultObj, KeyValuePair<string, JToken> item
284317int total = 0 ;
285318
286319jb . Remove ( "page" ) ; jb . Remove ( "count" ) ; jb . Remove ( "query" ) ;
320+
287321var htt = new JArray ( ) ;
288322foreach ( var t in jb )
289323{
@@ -307,6 +341,23 @@ private int QuerySingleList(JObject resultObj, KeyValuePair<string, JToken> item
307341return total ;
308342}
309343
344+ private string ToSql ( KeyValuePair < string , JToken > item )
345+ {
346+ string key = item . Key . Trim ( ) ;
347+ var jb = JObject . Parse ( item . Value . ToString ( ) ) ;
348+ int page = jb [ "page" ] == null ? 0 : int . Parse ( jb [ "page" ] . ToString ( ) ) ;
349+ int count = jb [ "count" ] == null ? 10 : int . Parse ( jb [ "count" ] . ToString ( ) ) ;
350+ int query = jb [ "query" ] == null ? 0 : int . Parse ( jb [ "query" ] . ToString ( ) ) ;
351+
352+ jb . Remove ( "page" ) ; jb . Remove ( "count" ) ; jb . Remove ( "query" ) ;
353+ var htt = new JArray ( ) ;
354+ foreach ( var t in jb )
355+ {
356+ return ToSql ( t . Key , page , count , query , t . Value . ToString ( ) ) ;
357+ }
358+
359+ return string . Empty ;
360+ }
310361//单表查询
311362private int QuerySingleList ( JObject resultObj , KeyValuePair < string , JToken > item )
312363{
@@ -495,7 +546,13 @@ private void ProcessColumn(string subtable, string selectrole, JObject values, I
495546if ( colName == "*" || int . TryParse ( colName , out int colNumber ) || ( IsCol ( subtable , colName ) && _identitySvc . ColIsRole ( colName , selectrole . Split ( ',' ) ) ) )
496547{
497548if ( ziduan . Length > 1 )
498- str . Append ( ziduan [ 0 ] + " as " + ziduan [ 1 ] + "," ) ;
549+ {
550+ if ( ziduan [ 1 ] . Length > 20 )
551+ {
552+ throw new Exception ( "别名不能超过20个字符" ) ;
553+ }
554+ str . Append ( ziduan [ 0 ] + " as " + ReplaceSQLChar ( ziduan [ 1 ] ) + "," ) ;
555+ }
499556else
500557str . Append ( ziduan [ 0 ] + "," ) ;
501558
@@ -744,5 +801,40 @@ private void FuzzyQuery(string subtable, List<IConditionalModel> conModels, KeyV
744801conModels . Add ( new ConditionalModel ( ) { FieldName = vakey . TrimEnd ( '$' ) , ConditionalType = conditionalType , FieldValue = fieldValue . TrimEnd ( "%" . ToArray ( ) ) . TrimStart ( "%" . ToArray ( ) ) } ) ;
745802}
746803}
804+
805+ public string ReplaceSQLChar ( string str )
806+ {
807+ if ( str == String . Empty )
808+ return String . Empty ;
809+ str = str . Replace ( "'" , "" ) ;
810+ str = str . Replace ( ";" , "" ) ;
811+ str = str . Replace ( "," , "" ) ;
812+ str = str . Replace ( "?" , "" ) ;
813+ str = str . Replace ( "<" , "" ) ;
814+ str = str . Replace ( ">" , "" ) ;
815+ str = str . Replace ( "(" , "" ) ;
816+ str = str . Replace ( ")" , "" ) ;
817+ str = str . Replace ( "@" , "" ) ;
818+ str = str . Replace ( "=" , "" ) ;
819+ str = str . Replace ( "+" , "" ) ;
820+ str = str . Replace ( "*" , "" ) ;
821+ str = str . Replace ( "&" , "" ) ;
822+ str = str . Replace ( "#" , "" ) ;
823+ str = str . Replace ( "%" , "" ) ;
824+ str = str . Replace ( "$" , "" ) ;
825+ str = str . Replace ( "\" " , "" ) ;
826+
827+ //删除与数据库相关的词
828+ str = Regex . Replace ( str , "delete from" , "" , RegexOptions . IgnoreCase ) ;
829+ str = Regex . Replace ( str , "drop table" , "" , RegexOptions . IgnoreCase ) ;
830+ str = Regex . Replace ( str , "truncate" , "" , RegexOptions . IgnoreCase ) ;
831+ str = Regex . Replace ( str , "xp_cmdshell" , "" , RegexOptions . IgnoreCase ) ;
832+ str = Regex . Replace ( str , "exec master" , "" , RegexOptions . IgnoreCase ) ;
833+ str = Regex . Replace ( str , "net localgroup administrators" , "" , RegexOptions . IgnoreCase ) ;
834+ str = Regex . Replace ( str , "net user" , "" , RegexOptions . IgnoreCase ) ;
835+ str = Regex . Replace ( str , "-" , "" , RegexOptions . IgnoreCase ) ;
836+ str = Regex . Replace ( str , "truncate" , "" , RegexOptions . IgnoreCase ) ;
837+ return str ;
838+ }
747839}
748840}