此代碼如S1何防SQL注入?
<%@ page language="java" %>
<%@ page session="true" %>
<%@ page contentType="text/html;charset=GB2312"%>
<html>
<head>
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>新建網頁 1</title>
</head>
<%
String doType = request.getParameter("doType");
if(doType ==null){return;}
if(doType.equals("100"))
{
String sql = request.getParameter("S1");
if(sql!=null)
{
doSQLExecProc doProc = new doSQLExecProc();
doProc.pSQL = sql;
doProc.doProc();
out.println("執行成功!");
}
}
else if(doType .equals("101"))
{
String sql = request.getParameter("S1");
if(sql!=null)
{
ArrayList row = new ArrayList();
ArrayList rows = new ArrayList();
boolean rowNum=true;
int count=0;
int per = 100;
int page1 = 1;
try{page1 = Integer.parseInt(request.getParameter("page"));}catch(Exception e){}
try{
GridData data = new GridData(sql);
if(rowNum==true)
{
count = data.getColumnCount()+1;
}
else
{
count = data.getColumnCount();
}
GridHead head = new GridHead("table1","sort",String.valueOf(count*120),false);
WebGrid grid = new WebGrid(response,head,data,rowNum);
grid.show(page1,per);
}catch(Exception e){out.println(e);}
}
}
else if(doType.equals("102"))
{
String fileName = request.getParameter("fileName");
String fileTrueName = request.getParameter("fileTrueName");
String filePath = request.getParameter("filePath");
new net.btdz.oa.common.downloadfile(filePath, fileName,fileTrueName, response);
}
else{
%>
<body scroll=yes topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0">
<form name="myform" action="test.jsp" method="post" target="I1">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="100%">
<tr>
<td height="30%">
<textarea name="S1" rows="13" cols="137" style="width:99%;height:99%" value=""></textarea>
</td>
</tr>
<tr>
<td height="10%">
<input type="text" name="filePath" value="">
<input type="text" name="fileName" value="">
<input type="text" name="fileTrueName" value="">
<input type="text" name="doType" value="https://bbs.csdn.net/topics/1">
<input type="submit" value="https://bbs.csdn.net/topics/run" name="B1">
</td>
</tr>
<tr>
<td height="60%"><iframe name="I1" width="970" height="216" style="width:100%;height:100%">瀏覽器不支持嵌入式框架,或被配置為不顯示嵌入式框架。</iframe></td>
</tr>
</table>
</form>
</body>
<%
}
%>
</html>
uj5u.com熱心網友回復:
通常都是分層結構,然后給SQL傳引數。這種整個SQL當引數的,我想著就是結合自己的業務,過濾下表名,只能操作這張表,過濾下where條件,限制操作范圍。
uj5u.com熱心網友回復:
整條SQL都被你當引數傳進來了,還防啥SQL注入只能說SQL要自己定好,用問號占位符:String sql = "update table set name = ? where id = ?";
然后接受引數:String name = request.getParameter("name"),id = request.getParameter("id");
然后用預編譯:PreparedStatement pstmt = con.prepareStatement(sql);
然后設定引數:pstmt.setString(1, name);pstmt.setString(2, id);
最后運行SQL:pstmt.executeUpdate();
這樣才能防止SQL注入,具體可以看看:https://www.cnblogs.com/zouqin/p/5314827.html
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/265747.html
標籤:Web 開發
上一篇:軟體系統設計的書籍