重置密码引起的sql注入问题修复

src/main/java/com/jeeplus/modules/API/sys/RegisterMobileController.java

@@ -1,29 +1,14 @@
 package com.jeeplus.modules.API.sys;
 
-import com.easemob.server.example.api.impl.EasemobIMUsers;
-import com.google.common.collect.Lists;
-import com.jeeplus.common.config.Global;
 import com.jeeplus.common.json.AjaxJson;
-import com.jeeplus.common.oss.OSSClientUtil;
-import com.jeeplus.common.utils.FileUtils;
 import com.jeeplus.common.utils.JedisUtils;
 import com.jeeplus.common.utils.RequestUtils;
-import com.jeeplus.common.utils.WordToPic;
 import com.jeeplus.common.web.BaseController;
 import com.jeeplus.modules.sys.dao.UserDao;
-import com.jeeplus.modules.sys.entity.Dict;
-import com.jeeplus.modules.sys.entity.Office;
-import com.jeeplus.modules.sys.entity.Role;
-import com.jeeplus.modules.sys.entity.User;
 import com.jeeplus.modules.sys.service.DictService;
 import com.jeeplus.modules.sys.service.SystemService;
-import com.jeeplus.modules.sys.utils.DictUtils;
 import com.jeeplus.modules.sys.utils.UserUtils;
-import com.jeeplus.modules.tools.utils.TwoDimensionCode;
 import com.jeeplus.modules.utils.ErrorCode;
-import io.swagger.client.model.Nickname;
-import io.swagger.client.model.RegisterUsers;
-import net.sf.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
@@ -34,16 +19,8 @@ import redis.clients.jedis.Jedis;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.HttpURLConnection;
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
 
 /**
  * 注册Controller
@@ -280,7 +257,7 @@ public class RegisterMobileController extends BaseController {
         Jedis jedis = null;
         try {
             // 验证手机号是否已经注册
-            if (userDao.findUniqueByProperty("mobile", mobile) != null) {
+            if (userDao.findUniqueByMobile(mobile) != null) {
                 if (type.equals("1") || type.equals("4")) {
                     j.setSuccess(false);
                     j.setErrorCode(ErrorCode.code_1007);

src/main/java/com/jeeplus/modules/API/userinfo/SetUpController.java

@@ -1,46 +1,34 @@
 package com.jeeplus.modules.API.userinfo;
 
-import java.io.InputStream;
-import java.net.URLDecoder;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-
 import com.easemob.server.example.api.impl.EasemobIMUsers;
+import com.jeeplus.common.json.AjaxJson;
 import com.jeeplus.common.utils.CacheUtils;
 import com.jeeplus.common.utils.JedisUtils;
-import com.jeeplus.common.utils.RequestUtils;
-import com.jeeplus.modules.sys.security.SystemAuthorizingRealm;
-import com.jeeplus.modules.utils.ErrorCode;
-import io.swagger.client.model.NewPassword;
-import org.apache.commons.io.IOUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Controller;
-import org.springframework.transaction.annotation.Transactional;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import com.jeeplus.common.json.AjaxJson;
 import com.jeeplus.common.utils.StringUtils;
 import com.jeeplus.common.web.BaseController;
 import com.jeeplus.modules.sys.dao.SuggestionDao;
 import com.jeeplus.modules.sys.dao.UserDao;
 import com.jeeplus.modules.sys.entity.Suggestion;
-import com.jeeplus.modules.sys.entity.SystemConfig;
 import com.jeeplus.modules.sys.entity.User;
 import com.jeeplus.modules.sys.service.SystemConfigService;
 import com.jeeplus.modules.sys.service.SystemService;
 import com.jeeplus.modules.sys.utils.UserUtils;
-
-import net.sf.json.JSONObject;
+import com.jeeplus.modules.utils.ErrorCode;
+import io.swagger.client.model.NewPassword;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
 import redis.clients.jedis.Jedis;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.List;
+
 
 /**
  * 设置Controller
@@ -203,7 +191,7 @@ public class SetUpController extends BaseController{
         if(user == null || user.getId() ==null){
             user = UserUtils.get(userId);
         }
-        if(userDao.findUniqueByProperty("login_name", mobile)==null){
+        if(userDao.findUniqueByLoginName(mobile)==null){
             user.setLoginName(mobile);
             user.setMobile(mobile);
             systemService.updateMo(user);

src/main/java/com/jeeplus/modules/sys/dao/UserDao.java

@@ -3,17 +3,15 @@
  */
 package com.jeeplus.modules.sys.dao;
 
-import java.util.HashMap;
-import java.util.List;
-
-import com.jeeplus.modules.sys.entity.Office;
-import com.jeeplus.modules.workstaff.entity.WorkStaffBasicInfo;
-import org.apache.ibatis.annotations.Param;
-
 import com.jeeplus.common.persistence.CrudDao;
 import com.jeeplus.common.persistence.annotation.MyBatisDao;
+import com.jeeplus.modules.sys.entity.Office;
 import com.jeeplus.modules.sys.entity.Role;
 import com.jeeplus.modules.sys.entity.User;
+import com.jeeplus.modules.workstaff.entity.WorkStaffBasicInfo;
+import org.apache.ibatis.annotations.Param;
+
+import java.util.List;
 
 /**
  * 用户DAO接口
@@ -299,4 +297,12 @@ public interface UserDao extends CrudDao<User> {
 	 * @return
 	 */
 	List<String> getAuditUserListByRelevanceUserId(@Param("relevanceUserId") String relevanceUserId);
+
+
+
+	User findUniqueByMobile(String mobile);
+
+	User findUniqueByLoginName(String loginName);
+
+
 }

src/main/java/com/jeeplus/modules/sys/service/SystemService.java

@@ -447,7 +447,7 @@ public class SystemService extends BaseService implements InitializingBean {
         User user = new User();
         try {
             // 验证手机号是否已经注册
-            if (userDao.findUniqueByProperty("mobile", mobile) != null) {
+            if (userDao.findUniqueByMobile(mobile) != null) {
                 // 如果是手机登录，则返回JSON字符串
                 j.setSuccess(false);
                 j.setErrorCode(ErrorCode.code_1007);

src/main/java/com/jeeplus/modules/sys/service/UserService.java

@@ -1,13 +1,9 @@
 package com.jeeplus.modules.sys.service;
 
 
-import com.easemob.server.example.api.impl.EasemobIMUsers;
-import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
 import com.jeeplus.common.bos.BOSClientUtil;
 import com.jeeplus.common.config.Global;
 import com.jeeplus.common.oss.OSSClientUtil;
-import com.jeeplus.common.utils.DateUtils;
 import com.jeeplus.common.utils.FileUtils;
 import com.jeeplus.common.utils.StringUtils;
 import com.jeeplus.common.utils.WordToPic;
@@ -16,16 +12,16 @@ import com.jeeplus.modules.iim.entity.LayGroup;
 import com.jeeplus.modules.iim.service.LayGroupService;
 import com.jeeplus.modules.sys.dao.RoleDao;
 import com.jeeplus.modules.sys.dao.UserDao;
-import com.jeeplus.modules.sys.entity.*;
+import com.jeeplus.modules.sys.entity.Company;
+import com.jeeplus.modules.sys.entity.Office;
+import com.jeeplus.modules.sys.entity.Role;
+import com.jeeplus.modules.sys.entity.User;
 import com.jeeplus.modules.sys.utils.UserUtils;
 import com.jeeplus.modules.sysuseroffice.entity.Useroffice;
 import com.jeeplus.modules.sysuseroffice.service.UserofficeService;
 import com.jeeplus.modules.tools.utils.TwoDimensionCode;
 import com.jeeplus.modules.workcompanyinfo.service.CompanyinfoService;
 import com.jeeplus.modules.workstaff.entity.WorkStaffBasicInfo;
-import io.swagger.client.model.NewPassword;
-import io.swagger.client.model.Nickname;
-import io.swagger.client.model.RegisterUsers;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -37,8 +33,6 @@ import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.util.ArrayList;
-import java.util.Iterator;
 import java.util.List;
 
 
@@ -432,6 +426,10 @@ public class UserService extends BaseController {
         return userDao.findUniqueByProperty(name,value);
     }
 
+    public User findUniqueByMobile(String value) {
+        return userDao.findUniqueByMobile(value);
+    }
+
     public void updateOfficeById(User user) {
         userDao.updateUserInfo(user);
     }

src/main/java/com/jeeplus/modules/sys/web/LoginController.java

@@ -12,7 +12,6 @@ import com.jeeplus.common.security.shiro.session.SessionDAO;
 import com.jeeplus.common.servlet.ValidateCodeServlet;
 import com.jeeplus.common.utils.*;
 import com.jeeplus.common.web.BaseController;
-import com.jeeplus.common.websocket.onchat.ChatServerPool;
 import com.jeeplus.modules.iim.entity.MailBox;
 import com.jeeplus.modules.iim.entity.MailPage;
 import com.jeeplus.modules.iim.service.MailBoxService;
@@ -24,7 +23,6 @@ import com.jeeplus.modules.ruralprojectrecords.service.RuralProjectRecordReportS
 import com.jeeplus.modules.ruralprojectrecords.service.RuralProjectRecordsService;
 import com.jeeplus.modules.sys.dao.UserDao;
 import com.jeeplus.modules.sys.entity.Office;
-import com.jeeplus.modules.sys.entity.Role;
 import com.jeeplus.modules.sys.entity.User;
 import com.jeeplus.modules.sys.security.FormAuthenticationFilter;
 import com.jeeplus.modules.sys.security.SystemAuthorizingRealm.Principal;
@@ -40,7 +38,6 @@ import com.jeeplus.modules.workcalendar.service.WorkCalendarService;
 import com.jeeplus.modules.workprojectnotify.entity.WorkProjectNotify;
 import com.jeeplus.modules.workprojectnotify.service.WorkProjectNotifyService;
 import net.sf.json.JSONArray;
-import net.sf.json.JSONObject;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.UnauthorizedException;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -60,7 +57,10 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.text.SimpleDateFormat;
-import java.util.*;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * 登录Controller
@@ -509,7 +509,7 @@ public class LoginController extends BaseController{
 	public AjaxJson getRandomCode(HttpServletRequest request, String mobile,String type) {
 		AjaxJson j = new AjaxJson();
 		//验证手机号是否已经注册
-		if(userDao.findUniqueByProperty("login_name", mobile) != null){
+		if(userDao.findUniqueByLoginName(mobile) != null){
 			String randomCode = String.valueOf((int) (Math.random() * 9000 + 1000));
 			System.err.println(randomCode);
 			// String result = UserUtils.sendRandomCode(config.getSmsName(),config.getSmsPassword(), mobile, randomCode);

src/main/java/com/jeeplus/modules/sys/web/RegisterController.java

@@ -1,8 +1,6 @@
 package com.jeeplus.modules.sys.web;
 
 
-import com.easemob.server.example.api.impl.EasemobIMUsers;
-import com.jeeplus.common.config.Global;
 import com.jeeplus.common.json.AjaxJson;
 import com.jeeplus.common.utils.EncrypeUtil;
 import com.jeeplus.common.utils.JedisUtils;
@@ -10,7 +8,6 @@ import com.jeeplus.common.utils.StringUtils;
 import com.jeeplus.common.web.BaseController;
 import com.jeeplus.modules.sys.dao.UserDao;
 import com.jeeplus.modules.sys.entity.MainDictDetail;
-import com.jeeplus.modules.sys.entity.Office;
 import com.jeeplus.modules.sys.entity.SystemConfig;
 import com.jeeplus.modules.sys.entity.User;
 import com.jeeplus.modules.sys.service.OfficeService;
@@ -19,7 +16,6 @@ import com.jeeplus.modules.sys.service.SystemService;
 import com.jeeplus.modules.sys.utils.DictUtils;
 import com.jeeplus.modules.sys.utils.UserUtils;
 import com.jeeplus.modules.utils.ErrorCode;
-import net.sf.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -82,7 +78,7 @@ public class RegisterController extends BaseController {
 			String password = EncrypeUtil.encrypeString(user.getPassword(),"UTF-8");
 			AjaxJson j = new AjaxJson();
 			//验证手机号是否已经注册
-			if (userDao.findUniqueByProperty("mobile", user.getMobile()) != null) {
+			if (userDao.findUniqueByMobile(user.getMobile()) != null) {
 				// 如果是手机登录，则返回JSON字符串
 				if (mobileLogin) {
 					j.setSuccess(false);
@@ -307,7 +303,7 @@ public class RegisterController extends BaseController {
 		SystemConfig config = systemConfigService.get("1");
 		AjaxJson j = new AjaxJson();
 		//验证手机号是否已经注册
-		if(userDao.findUniqueByProperty("mobile", mobile) == null||("resetPassword").equals(type)){
+		if(userDao.findUniqueByMobile(mobile) == null||("resetPassword").equals(type)){
 		String randomCode = String.valueOf((int) (Math.random() * 9000 + 1000));
 		System.out.println(randomCode);
 		// String result = UserUtils.sendRandomCode(config.getSmsName(),config.getSmsPassword(), mobile, randomCode);

src/main/java/com/jeeplus/modules/sys/web/UserController.java

@@ -1195,7 +1195,7 @@ public class UserController extends BaseController {
     @RequestMapping(value = "validateLoginName")
     public boolean validateLoginName(String loginName, HttpServletResponse response) {
 
-        User user =  userDao.findUniqueByProperty("login_name", loginName);
+        User user =  userDao.findUniqueByLoginName(loginName);
         if(user == null){
             return true;
         }else{
@@ -1210,7 +1210,7 @@ public class UserController extends BaseController {
     @ResponseBody
     @RequestMapping(value = "validateMobile")
     public boolean validateMobile(String mobile, HttpServletResponse response, Model model) {
-        User user =  userDao.findUniqueByProperty("mobile", mobile);
+        User user =  userDao.findUniqueByMobile( mobile);
         if(user == null){
             return true;
         }else{
@@ -1224,7 +1224,7 @@ public class UserController extends BaseController {
     @ResponseBody
     @RequestMapping(value = "validateMobileExist")
     public boolean validateMobileExist(String mobile, HttpServletResponse response, Model model) {
-        User user =  userDao.findUniqueByProperty("mobile", mobile);
+        User user =  userDao.findUniqueByMobile(mobile);
         if(user != null){
             return true;
         }else{
@@ -1236,7 +1236,7 @@ public class UserController extends BaseController {
     public String  resetPassword(String mobile, HttpServletResponse response, Model model,String password,RedirectAttributes redirectAttributes) {
         SystemConfig config = systemConfigService.get("1");//获取短信配置的用户名和密码
         AjaxJson j = new AjaxJson();
-        User user = userDao.findUniqueByProperty("mobile", mobile);
+        User user = userDao.findUniqueByMobile(mobile);
         try {
             // 密码MD5加密并修改密码
             String newpassword = EncrypeUtil.encrypeString(password, "UTF-8");

src/main/java/com/jeeplus/modules/wexinpackage/access/service/WeChatCallbackService.java

@@ -1,6 +1,5 @@
 package com.jeeplus.modules.wexinpackage.access.service;
 
-import com.alibaba.fastjson.JSONObject;
 import com.jeeplus.common.utils.JedisUtils;
 import com.jeeplus.common.utils.MyBeanUtils;
 import com.jeeplus.common.utils.StringUtils;
@@ -14,10 +13,7 @@ import com.jeeplus.modules.sys.service.RoleService;
 import com.jeeplus.modules.sys.service.SystemService;
 import com.jeeplus.modules.sys.service.UserService;
 import com.jeeplus.modules.wexinpackage.access.entity.ChangeNumber;
-import com.jeeplus.modules.wexinpackage.access.util.access.AccessTokenUtil;
-import com.jeeplus.modules.wexinpackage.access.util.access.AddressBookUtil;
 import com.jeeplus.modules.wexinpackage.access.util.access.ContactUtil;
-import com.jeeplus.modules.wexinpackage.access.util.access.WeChatParamsUtil;
 import com.jeeplus.modules.workstaff.dao.WorkStaffBasicInfoDao;
 import com.jeeplus.modules.workstaff.entity.WorkStaffBasicInfo;
 import com.jeeplus.modules.workstaff.service.WorkStaffBasicInfoService;
@@ -27,8 +23,8 @@ import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+
 import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -143,7 +139,7 @@ public class WeChatCallbackService {
             workStaffBasicInfo.setNo(getNo(createWorkStaffBasicInfo));
             User user = new User();
             user = this.createUser(workStaffBasicInfo);
-            User user1 = userService.findUniqueByProperty("mobile", workStaffBasicInfo.getMobile());
+            User user1 = userDao.findUniqueByMobile(workStaffBasicInfo.getMobile());
             if (null==user1){
                 user.setWeChatId(changeNumber.getUserID());
                 boolean b = userService.save(user, request, null);

src/main/java/com/jeeplus/modules/workstaff/service/WorkStaffBasicInfoService.java

@@ -338,7 +338,7 @@ public class WorkStaffBasicInfoService extends CrudService<WorkStaffBasicInfoDao
         }
         if(StringUtils.isBlank(workStaffBasicInfo.getUserId())){
 	        //根据手机号查询用户
-            User user = userService.findUniqueByProperty("mobile", workStaffBasicInfo.getMobile());
+            User user = userService.findUniqueByMobile(workStaffBasicInfo.getMobile());
             if(user==null){
                 //创建新的用户
                 user = this.createUser(workStaffBasicInfo);

src/main/resources/mappings/modules/sys/UserDao.xml

@@ -1273,4 +1273,21 @@
 			</if>
 		</where>
 	</select>
+
+
+	<!-- 根据用户id和好友id获取唯一记录 -->
+	<select id="findUniqueByMobile" resultType="User">
+		SELECT
+			*
+		FROM sys_user a
+		where a.mobile = #{mobile}
+	</select>
+
+	<!-- 根据用户id和好友id获取唯一记录 -->
+	<select id="findUniqueByLoginName" resultType="User">
+		SELECT
+			*
+		FROM sys_user a
+		where a.login_name = #{loginName}
+	</select>
 </mapper>