From 0fc791520a07e20925be4faf4ebd1544865fb785 Mon Sep 17 00:00:00 2001
From: likunming <likunming@163.com>
Date: Thu, 25 Sep 2025 17:19:12 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A8=E6=A0=BC=E7=BB=84=E4=BB=B6=E6=9F=A5?=
 =?UTF-8?q?=E8=AF=A2=E6=8C=89=E9=92=AE=E5=8F=8A=E6=89=A9=E5=B1=95=E5=8D=95?=
 =?UTF-8?q?=E9=80=89=E7=BB=84=E4=BB=B6=E4=BC=98=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../platform/components/grid/ts/function/RequestApi.ts   | 9 +++++++--
 .../lcdp/form/service/impl/JdbcTemplateServiceImpl.java  | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/io.sc.platform.core.frontend/src/platform/components/grid/ts/function/RequestApi.ts b/io.sc.platform.core.frontend/src/platform/components/grid/ts/function/RequestApi.ts
index c6eee58a..59005a71 100644
--- a/io.sc.platform.core.frontend/src/platform/components/grid/ts/function/RequestApi.ts
+++ b/io.sc.platform.core.frontend/src/platform/components/grid/ts/function/RequestApi.ts
@@ -216,12 +216,17 @@ export class RequestApi extends Base {
       reqParams.pageable = this.props.tree || this.props.localMode ? false : this.props.pageable;
     }
     if (ops.pagination.sortBy && ops.pagination.sortBy !== '') {
+      const column = this.table.columns.find((item) => item.name === ops.pagination.sortBy);
+      let columnName = ops.pagination.sortBy;
+      if (column && column.sortByName && typeof column.sortByName === 'string') {
+        columnName = column.sortByName;
+      }
       // 处理表格点击列头进行的排序
       if (ops.pagination.descending) {
-        reqParams.sortBy = '-' + ops.pagination.sortBy;
+        reqParams.sortBy = '-' + columnName;
         reqParams.descending = ops.pagination.descending;
       } else {
-        reqParams.sortBy = ops.pagination.sortBy;
+        reqParams.sortBy = columnName;
       }
     } else if (this.props.sortBy && this.props.sortBy.length > 0) {
       // 处理表格配置的默认排序
diff --git a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/form/service/impl/JdbcTemplateServiceImpl.java b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/form/service/impl/JdbcTemplateServiceImpl.java
index 0a71e0d2..f9cf4bff 100644
--- a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/form/service/impl/JdbcTemplateServiceImpl.java
+++ b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/form/service/impl/JdbcTemplateServiceImpl.java
@@ -4,6 +4,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import io.sc.platform.jdbc.DatabaseType;
 import io.sc.platform.jdbc.sql.builder.SqlBuilder;
 import io.sc.platform.jdbc.sql.condition.Condition;
+import io.sc.platform.jdbc.util.SqlInjectionPreventer;
 import io.sc.platform.lcdp.form.entity.GridFieldEntity;
 import io.sc.platform.lcdp.form.entity.GridPageEntity;
 import io.sc.platform.lcdp.form.enums.AddValueType;
@@ -633,6 +634,7 @@ public class JdbcTemplateServiceImpl implements JdbcTemplateService {
         if (null != parameter.getSortBy() && parameter.getSortBy().size() > 0) {
             sql = " ORDER BY ";
             for (String sort: parameter.getSortBy()) {
+                SqlInjectionPreventer.checkSqlInjection(sort);
                 if (sort.startsWith("-")) {
                     sql += sort.substring(1) + " DESC,";
                 } else if (sort.startsWith("+")) {