fix: 解决潜在的 SQL 注入漏洞 (#5906)

影响范围：操作日志
2024-11-10 17:13:30 +08:00 · 2024-07-22 22:41:31 +08:00 · 2024-07-22 22:41:31 +08:00 · 3339ba9bad
commit 3339ba9bad
parent 68922676fc
1 changed files with 2 additions and 3 deletions
--- a/backend/middleware/operation.go
+++ b/backend/middleware/operation.go
@ -96,10 +96,9 @@ func OperationLog() gin.HandlerFunc {
 					if funcs.InputValue == key {
 						var names []string
 						if funcs.IsList {
-							sql := fmt.Sprintf("SELECT %s FROM %s where %s in (?);", funcs.OutputColumn, funcs.DB, funcs.InputColumn)
+							_ = global.DB.Raw("select ? from ? where ? in (?);", funcs.OutputColumn, funcs.DB, funcs.InputColumn, value).Scan(&names)
 							_ = global.DB.Raw(sql, value).Scan(&names)
 						} else {
-							_ = global.DB.Raw(fmt.Sprintf("select %s from %s where %s = ?;", funcs.OutputColumn, funcs.DB, funcs.InputColumn), value).Scan(&names)
+							_ = global.DB.Raw("select ? from ? where ? = ?;", funcs.OutputColumn, funcs.DB, funcs.InputColumn, value).Scan(&names)
 						}
 						formatMap[funcs.OutputValue] = strings.Join(names, ",")
 						break