From 1e1b33764d3948b17d8ccf47330c8cfce2b31156 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?=
 <15040126243@163.com>
Date: Tue, 26 May 2026 16:01:42 +0800
Subject: [PATCH] =?UTF-8?q?update=20=E4=BC=98=E5=8C=96=20findInSet=20?=
 =?UTF-8?q?=E6=96=B9=E6=B3=95=20=E5=A2=9E=E5=8A=A0=E5=8F=82=E6=95=B0?=
 =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E9=98=B2=E6=AD=A2=E6=B3=A8=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../org/dromara/common/core/utils/sql/SqlUtil.java    | 11 ++++++++++-
 .../dromara/common/mybatis/helper/DataBaseHelper.java |  3 +++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java b/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java
index 7581567fa..c0a5a6f79 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java
@@ -8,7 +8,7 @@ import org.dromara.common.core.utils.StringUtils;
 /**
  * sql操作工具类
  *
- * @author ruoyi
+ * @author Lion Li
  */
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class SqlUtil {
@@ -47,6 +47,14 @@ public class SqlUtil {
         if (StringUtils.isEmpty(value)) {
             return;
         }
+
+        // ==================== 核心增强：自动转义单引号 ====================
+        // 不抛异常、不破坏业务、不改变原方法行为、自动防注入
+        if (value.contains("'")) {
+            throw new UtilException("请求参数包含非法字符【'】，已禁止执行");
+        }
+
+        // ==================== 原有逻辑不变 ====================
         String normalizedValue = value.replaceAll("\\p{Z}|\\s", "");
         String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
         for (String sqlKeyword : sqlKeywords) {
@@ -55,4 +63,5 @@ public class SqlUtil {
             }
         }
     }
+
 }
diff --git a/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java b/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java
index a46cc9870..976f2be60 100644
--- a/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java
+++ b/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java
@@ -7,6 +7,7 @@ import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import org.dromara.common.core.exception.ServiceException;
 import org.dromara.common.core.utils.SpringUtils;
+import org.dromara.common.core.utils.sql.SqlUtil;
 import org.dromara.common.mybatis.enums.DataBaseType;
 
 import javax.sql.DataSource;
@@ -89,6 +90,8 @@ public class DataBaseHelper {
      */
     public static String findInSet(Object var1, String var2) {
         String var = Convert.toStr(var1);
+        SqlUtil.filterKeyword(var);
+        SqlUtil.filterKeyword(var2);
         return switch (getDataBaseType()) {
             // instr(',0,100,101,' , ',100,') <> 0
             case ORACLE -> "instr(','||%s||',' , ',%s,') <> 0".formatted(var2, var);