如select id,priority from ad.adgroup limit 1 union all select id, content from activity.activity_effect limit 1;
解析出来的sql语法树中不含有activity中的内容,这就导致无法进行权限标注,比如一个用户有ad.adgroup权限,没有activity.activity权限,但他可以利用上面的sql的union all绕过权限限制。
上述sql解析出来的语法树结构
'ID' => '1',
'statement' => 'select id,priority from ad.adgroup limit 1 union all select id, content from activity.activity_effect limit 1',
'errlevel' => '0',
'query_tree' => '{"command":"select","select_list":[{"type":"FIELD_ITEM","db":"ad","table":"adgroup","field":"id"},{"type":"FIELD_ITEM","db":"ad","table":"adgroup","field":"priority"}],"table_ref":[{"db":"ad","table":"adgroup"}],"limit":{"limit":[{"type":"INT_ITEM","value":"1"}]}}',
'errmsg' => 'None'
如select id,priority from ad.adgroup limit 1 union all select id, content from activity.activity_effect limit 1; 解析出来的sql语法树中不含有activity中的内容,这就导致无法进行权限标注,比如一个用户有ad.adgroup权限,没有activity.activity权限,但他可以利用上面的sql的union all绕过权限限制。
上述sql解析出来的语法树结构 'ID' => '1', 'statement' => 'select id,priority from ad.adgroup limit 1 union all select id, content from activity.activity_effect limit 1', 'errlevel' => '0', 'query_tree' => '{"command":"select","select_list":[{"type":"FIELD_ITEM","db":"ad","table":"adgroup","field":"id"},{"type":"FIELD_ITEM","db":"ad","table":"adgroup","field":"priority"}],"table_ref":[{"db":"ad","table":"adgroup"}],"limit":{"limit":[{"type":"INT_ITEM","value":"1"}]}}', 'errmsg' => 'None'
找不到activity的内容,也就是说语法树不完整,麻烦修复一下