通知通告接口sql注入

src/dashoo.cn/backend/api/business/documentmanage/documentmanageService.go

@@ -23,14 +23,16 @@ func GetDocumentmanageService(xormEngine *xorm.Engine) *DocumentmanageService {
 //获取文档名与创建时间
 func (s *DocumentmanageService) GetDocumentNameAndTime(table string, colName, rangeType string) []DocumentNameTimeInfo {
 	var err error
-	var sql string
-
 	nowTimeStr := time.Now().Format("2006-01-02 15:04:05")
-
-	sql = "select Name, CreateOn, FileURL from " + table + " WHERE " + colName + " = 1 " + "and ValidityTime >= '" + nowTimeStr + "' and RangeType in (" + rangeType + ")  ORDER BY CreateOn DESC "
-
+	//sql = "select Name, CreateOn, FileURL from " + table + " WHERE " + colName + " = 1 " + "and ValidityTime >= '" + nowTimeStr + "'
+	//and RangeType in (" + rangeType + ")  ORDER BY CreateOn DESC "
 	List := make([]DocumentNameTimeInfo, 0)
-	err = utils.DBE.Sql(sql).Find(&List)
+	s.DBE.Table(table).Select("Name, CreateOn, FileURL").
+		Where(colName+"=?", 1).
+		Where("ValidityTime>=?", nowTimeStr).
+		In("RangeType", rangeType).
+		OrderBy("CreateOn DESC").
+		Find(&List)
 	LogError(err)
 
 	return List