From 1a673fc758abc83d37d663ff8a0e06affa346426 Mon Sep 17 00:00:00 2001
From: HID丨emotion <i@hiders.cn>
Date: Tue, 18 Aug 2020 13:35:33 +0800
Subject: [PATCH] 增加参数过滤，防止sql注入 多选字段选择多个时，再次编辑保持选择顺序不变 对参数增加过滤，防止sql注入

---
 application/common/controller/Backend.php | 3 +++
 1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/application/common/controller/Backend.php b/application/common/controller/Backend.php
index c93aabc..2bb4785 100644
--- a/application/common/controller/Backend.php
+++ b/application/common/controller/Backend.php
@@ -496,6 +496,9 @@ class Backend extends Controller
             }
             //如果有primaryvalue,说明当前是初始化传值,按照选择顺序排序
             if ($primaryvalue !== null) {
+                $primaryvalue = array_unique(is_array($primaryvalue) ? $primaryvalue : explode(',', $primaryvalue));
+                $primaryvalue = implode(',', array_map([$this->model->getConnection(), 'quote'], $primaryvalue));
+                
                 $datalist = $this->model->where($where)
                                         ->orderRaw("FIELD(`{$primarykey}`, {$primaryvalue})")
                                         ->page($page, $pagesize)
--
libgit2 0.24.0