%!s(int64=9) %!d(string=hai) anos · 6298008211
--- a/hsweb-web-bean/src/main/java/org/hsweb/web/bean/common/QueryParam.java
+++ b/hsweb-web-bean/src/main/java/org/hsweb/web/bean/common/QueryParam.java
@@ -1,6 +1,9 @@
 
				 package org.hsweb.web.bean.common;
			
 
				 
			
 
				 import java.io.Serializable;
			
 
				+import java.util.LinkedHashSet;
			
 
				+import java.util.Set;
			
 
				+import java.util.regex.Pattern;
			
 
				 
			
 
				 /**
			
 
				  * Created by 浩 on 2016-01-16 0016.
			
@@ -26,12 +29,12 @@ public class QueryParam extends SqlParam<QueryParam> implements Serializable {
 
				     /**
			
 
				      * 排序字段
			
 
				      */
			
 
				-    private String sortField;
			
 
				+    private Set<String> sortField = new LinkedHashSet<>();
			
 
				 
			
 
				     /**
			
 
				      * 排序方式 DESC 反序 ASC 正序
			
 
				      */
			
 
				-    private String sortOrder;
			
 
				+    private String sortOrder = "asc";
			
 
				 
			
 
				 
			
 
				     public QueryParam orderBy(String sortField) {
			
@@ -40,7 +43,7 @@ public class QueryParam extends SqlParam<QueryParam> implements Serializable {
 
				     }
			
 
				 
			
 
				     public QueryParam orderBy(String sortField, boolean asc) {
			
 
				-        setSortField(sortField);
			
 
				+        this.sortField.add(sortField);
			
 
				         setSortOrder(asc ? "asc" : "desc");
			
 
				         return this;
			
 
				     }
			
@@ -92,11 +95,16 @@ public class QueryParam extends SqlParam<QueryParam> implements Serializable {
 
				         this.pageSize = pageSize;
			
 
				     }
			
 
				 
			
 
				-    public String getSortField() {
			
 
				+    static String reg = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|"
			
 
				+            + "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)";
			
 
				+
			
 
				+    static Pattern sqlPattern = Pattern.compile(reg, Pattern.CASE_INSENSITIVE);
			
 
				+
			
 
				+    public Set<String> getSortField() {
			
 
				         return sortField;
			
 
				     }
			
 
				 
			
 
				-    public void setSortField(String sortField) {
			
 
				+    public void setSortField(Set<String> sortField) {
			
 
				         this.sortField = sortField;
			
 
				     }
			
 
				 
			
@@ -105,7 +113,7 @@ public class QueryParam extends SqlParam<QueryParam> implements Serializable {
 
				     }
			
 
				 
			
 
				     public void setSortOrder(String sortOrder) {
			
 
				-        if (!sortOrder.equalsIgnoreCase("asc"))
			
 
				+        if (sortOrder.contains("desc") || sortOrder.contains("DESC"))
			
 
				             sortOrder = "desc";
			
 
				         this.sortOrder = sortOrder;
			
 
				     }