From ee2fef02f8035107595affe7eae87030520301f7 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: Thu, 6 Jul 2023 22:29:30 +0800
Subject: [PATCH] =?UTF-8?q?=E6=8E=92=E5=BA=8F=E5=B1=9E=E6=80=A7orderBy?=
 =?UTF-8?q?=E5=8F=82=E6=95=B0=E9=99=90=E5=88=B6=E9=95=BF=E5=BA=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/com/ruoyi/common/core/utils/sql/SqlUtil.java    | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java
index 042a3e0a1..37e578e90 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java
@@ -20,6 +20,11 @@ public class SqlUtil
      */
     public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";
 
+    /**
+     * 限制orderBy最大长度
+     */
+    private static final int ORDER_BY_MAX_LENGTH = 500;
+
     /**
      * 检查字符，防止注入绕过
      */
@@ -29,6 +34,10 @@ public class SqlUtil
         {
             throw new UtilException("参数不符合规范，不能进行查询");
         }
+        if (StringUtils.length(value) > ORDER_BY_MAX_LENGTH)
+        {
+            throw new UtilException("参数已超过最大限制，不能进行查询");
+        }
         return value;
     }