You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: server/api-service/lowcoder-plugins/sqlBasedPlugin/src/main/java/org/lowcoder/plugin/sql/GeneralSqlExecutor.java
+40Lines changed: 40 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -148,6 +148,46 @@ private Pair<Statement, Boolean> getStatementAndExecute(Connection connection, S
148
148
if (statementInput.isPreparedStatement()) {
149
149
Stringsql =statementInput.getSql();
150
150
List<Object>params =statementInput.getParams();
151
+
152
+
intorderByIndex = -1;
153
+
StringsortValue =null;
154
+
for (inti =0;i <params.size();i++) {
155
+
Objectparam =params.get(i);
156
+
if (paraminstanceofMap<?, ?>map &&map.containsKey("sort")) {
157
+
orderByIndex =i;// Index of the ? to replace (0-based)
158
+
sortValue =String.valueOf(map.get("sort"));// e.g., "ASC" or "DESC"
159
+
break;
160
+
}
161
+
}
162
+
163
+
if (orderByIndex >=0 &&sortValue !=null) {
164
+
// Validate sortValue to prevent SQL injection
165
+
if (!sortValue.equalsIgnoreCase("ASC") && !sortValue.equalsIgnoreCase("DESC")) {
166
+
sortValue ="ASC";// Default to ASC if invalid
167
+
}
168
+
169
+
// Split the SQL at the ? placeholders
170
+
String[]sqlParts =sql.split("\\?", -1);
171
+
if (orderByIndex <sqlParts.length -1) {
172
+
// Rebuild the SQL, replacing the ? at orderByIndex with sortValue
173
+
StringBuildernewSql =newStringBuilder();
174
+
for (inti =0;i <sqlParts.length;i++) {
175
+
newSql.append(sqlParts[i]);
176
+
if (i <sqlParts.length -1) {
177
+
if (i ==orderByIndex) {
178
+
newSql.append(sortValue);// Insert ASC or DESC
179
+
}else {
180
+
newSql.append("?");// Keep other placeholders
181
+
}
182
+
}
183
+
}
184
+
sql =newSql.toString();
185
+
186
+
// Remove the Map from params since it's no longer a bind parameter