Just enter % in all queries to return all data(所有查询中只要输入%会返回所有数据) #186
Description
Entering % in the place where the query is made will return all results.
WHERE( " p.name like concat('%', #{searchVal}, '%') ");
The splicing to the top, and finally constructed as '%%%', will query all results.
The solution is to escape % to normal characters.
You can check the parameters of the GET request by adding an interceptor. Escaped with special characters.
在有查询的地方输入%,都会返回所有结果,
WHERE( " p.name like concat('%', #{searchVal}, '%') ");
向上面的拼接,最后就构造成, '%%%' 这样,就会查询所有结果。
解决办法是将%进行转义成普通字符。
可以通过加一个拦截器,对GET请求的参数校验下。有特殊字符就转义。