防止sql注入

3 years ago · 9e6042d17c
2 changed files with 31 additions and 14 deletions
--- a/source/application/api/controller/pass/Passcc.php
+++ b/source/application/api/controller/pass/Passcc.php
@ -93,8 +93,8 @@ class Passcc extends Controller
     */
    public function getPassHoursData()
    {
-        $groupsId = $this->request->param('groupsId') ?: '';
+        $type = $this->request->param('type') ?: '';
-        $data = PassFlow::getPassHoursData(null,['groupsId' => $groupsId]);
+        $data = PassFlow::getPassHoursData(null,['type' => $type]);
        return $this->renderSuccess(compact('data'));
    }
 }
--- a/source/application/common/logic/PassFlow.php
+++ b/source/application/common/logic/PassFlow.php
@ -6,6 +6,17 @@ use app\common\dm\Dm;
 class PassFlow
 {
    protected static $groupType = [1,2];# 1 = 体育 2 = 文化
    protected static function getGroupIds($dm,$type = 1)
    {
        $groupIdArr = [];
        $result = $dm->select('bt_passenger_monitor_group',['type' => $type]);
        foreach ($result as $row) {
            $groupIdArr[] = $row['groupId'];
        }
        return $groupIdArr;
    }
    /**
     * 分时时间段接口      <首页-客流趋势>
     * @return array
@ -17,14 +28,16 @@ class PassFlow
    {
        $granularity = $param['granularity'];
-        $groupsId    = $param['groupsId'];
+        $type    = $param['type'];
        if (empty($granularity)) return ['code' => 0, 'msg' => '缺少参数：granularity'];
        $where = '';
-        if (!empty($groupsId)) {
+        $groupsId = '';
-            $garr  = explode("|", $groupsId);
+        if (!empty($type)) {
-            $where .= ' "groupId" in(' . "'" . implode("','", $garr) . "')";
+            if (!in_array($type,self::$groupType)) return ['code' => 0, 'msg' => 'type字段参数错误'];
-
+            $groupsIdArr = self::getGroupIds($dm,$type);
            $groupsId = implode("|",$groupsIdArr);
            $where .= ' "groupId" in(' . "'" . implode("','", $groupsIdArr) . "')";
        }
        $allTimeData = [];
@ -251,8 +264,9 @@ class PassFlow
        if (empty($dm)) $dm = new Dm();
        $paramWhere = '';
        if (!empty($param)) {
-            if (!empty($param['groupsId'])) {
+            if (!empty($param['type'])) {
-                $groupsId = explode("|",$param['groupsId']);
+                if (!in_array($param['type'],self::$groupType)) return ['code' => 0, 'msg' => 'type字段参数错误'];
                $groupsId = self::getGroupIds($dm,$param['type']);
                $paramWhere .= ' and "groupId" in (' . "'" . implode("','",$groupsId) . "')";
            }
        }
@ -394,9 +408,11 @@ class PassFlow
        $where = ' "granularity"='."'hourly' ";
        $groupsWhere = null;
        $groupsId = [];
        if (!empty($param)) {
-            if (!empty($param['groupsId'])) {
+            if (!empty($param['type'])) {
-                $groupsId = explode("|",$param['groupsId']);
+                if (!in_array($param['type'],self::$groupType)) return ['code' => 0, 'msg' => 'type字段参数错误'];
                $groupsId = self::getGroupIds($dm,$param['type']);
                $groupsWhere = ['groupId' => $groupsId];
                $where .= ' and "groupId" in (' . "'" . implode("','",$groupsId) . "')";
            }
@ -448,7 +464,7 @@ class PassFlow
                'list' => $listData
            ];
        }
-	if(empty($param['groupsId'])){
+	if(empty($groupsId)){
 	   $data = self::getLibraryGroupHoursList($dm,false,$data);
 	}
        return $data;
@ -547,8 +563,9 @@ class PassFlow
        $where = ' "granularity"='."'hourly' ";
        if (!empty($param)) {
-            if (!empty($param['groupsId'])) {
+            if (!empty($param['type'])) {
-                $groupsId = explode("|",$param['groupsId']);
+                if (!in_array($param['type'], self::$groupType)) return ['code' => 0, 'msg' => 'type字段参数错误'];
                $groupsId = self::getGroupIds($dm, $param['type']);
                $where .= ' and "groupId" in (' . "'" . implode("','",$groupsId) . "')";
            }
        }