[sercurity vulnerability] sql inject

[GatekeeperBuster]

Recently, our team has identified a security vulnerability that has led to SQL injection issues in the latest version of the project, which could result in severe information leakage risks. The vulnerability entry is located in the method at src/main/java/com/youlai/mall/pms/controller/app/SpuController.java#32.

The developers, when operating SQL statements through the method at src/main/java/com/youlai/mall/pms/mapper/PmsSpuMapper.java#32,

concatenate the input queryParams parameter to ${queryParams.sortField} ${queryParams.sort}, which means that attackers can control the queryParams parameter to carry out SQL injection attacks.