+++++++++++逼上梁山++++求用QQ远程来帮我JSP(SQL注入式漏洞问题)解决后,要多少分给多少分.+++++++++++++++++++++++++++++++++++++++++++ 晕。其实你只要搜一下PreparedStatement类的用法就好了我们昨天也已经都说得很清楚了 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 我搜过了,但是也象你说的那样.没有什么分别.但是它现在提示是conn错.我不知怎么做.因为我现在只是第二次做JSP.是独立做.第一次做只是有朋友带一下.我未看过JSP的书.我只是会看来改一些东西.其他的不会了.所以很为难.加上形势所逼,不得不已出此下策啦.如果还是没有人能完全帮到我的话.我可是要回家休息了.谢谢你的帮助. <%@ page contentType="text/html; charset=gb2312" language="java" import="java.sql.*"%><jsp:useBean id="conn" scope="page" class="xx.conn"/>index.jsp===========================改前==========================<% String user_name=request.getParameter("user_name"); String pwd=request.getParameter("pwd"); String sql="select * from corp_members where user_name='"+user_name+"'"; rs=conn.executeQuery(sql);%>===================================改后==========================<% String user_name=request.getParameter("user_name"); String pwd=request.getParameter("pwd"); ResultSet rs; String sql="select * from corp_members where user_name=?";提示 PreparedStatement pstmt=conn.prepareStatement(sql);conn错 pstmt.setString(1,user_name); rs=pstmt.executeQuery();%>operation.jsp=======我该怎么样改========================================================<% String subcategory_id=request.getParameter("subcategory_id"); String input=request.getParameter("input"); ResultSet rs; String sql=null; if(input!=null) { String input2=new String (input.getBytes("ISO-8859-1")); sql="select * from news where subcategory_id="+subcategory_id+" and title like '%"+input2+"%' order by news_id desc"; } else { sql="select * from news where subcategory_id="+subcategory_id+" order by news_id desc"; } rs=conn.executeQuery(sql);%>======================================================================求解决SQL注入式漏洞的方法.以及,数据库中某张表不存在时,打开页面,不能让它产生错误提示.========================================================================conn.class文件.(db.properties是数据库链接文件.未改任何情况下.是可以运行的.)---------------------------------------package xx;import java.util.*;import java.sql.*;import java.io.*;public class conn{ Connection con; ResultSet rs=null; Statement stmt=null; String driver=""; String url=""; String user=""; String password=""; public conn() { try { InputStream fis =getClass().getResourceAsStream("db.properties"); Properties ps=new Properties(); ps.load(fis); driver=ps.getProperty("driver"); url=ps.getProperty("url"); user=ps.getProperty("username"); password=ps.getProperty("password"); Class.forName(driver); } catch (java.lang.ClassNotFoundException e) {System.err.println("DataConnectionDrever:"+e.getMessage());} catch (Exception e){System.out.println("数据配置参数读取失败!");} } public void Insert(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(); stmt.executeUpdate(sqlstring); } catch (SQLException ex) {System.err.println("DataUpdate:"+ex.getMessage());} } public void Delete(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(); stmt.executeUpdate(sqlstring); } catch (SQLException ex) {System.err.println("DataUpdate:"+ex.getMessage());} } public ResultSet executeQuery(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE); rs=stmt.executeQuery(sqlstring); } catch (SQLException ex) {System.err.println("DataQuery:"+ex.getMessage());} return rs; } public void CloseConn() throws Exception { if(rs != null) rs.close(); if(stmt != null) stmt.close(); if(con != null) con.close(); }} 很明显,你的 conn me 没有 prepareStatement 方法。那么,另外一个方法就是对传入的参数进行替换把 ' 替换成 '' 即可以解决你的问题.. String sql="select * from corp_members where user_name='"+user_name+"'"; rs=conn.executeQuery(sql); user_name 传入 aa' or 1=1 替换成 aa'' or 1=1再执行,这时就没有这个问题了啊 现在仅求解决方法.不论什么方法.(防SQL注入式漏洞) 唉晕啊你就直接分析字符串吧判断是不是存在"and " 如果存在就不查询直接报错当然谁把密码设置成包含那个字符串的谁倒霉 楼主下面是我在jsp中写的一段代码,测试过,没问题,你自己看你下,改一改<%int userid;String username;try { Class.forName("com.microsoft.jdbc.sqlserver.SQLServerDriver").newInstance(); Connection con = java.sql.DriverManager.getConnection("jdbc:microsoft:sqlserver://192.168.0.118:1433;DatabaseName=TEST", "sa", "123456"); String sql = "select user_id,user_realname from t_user where user_id=?"; PreparedStatement pstmt = con.prepareStatement(sql); pstmt.setInt(1,40);//40实际上是参数,只是我偷懒直接用一个数字,测试一下功能 ResultSet rst = pstmt.executeQuery();while(rst.next()) { //根据需要取出字段 userid=rst.getInt("user_id"); username=rst.getString("user_realname"); ……//其他处理 } rst.close(); pstmt.close(); con.close(); } catch (Exception exp) { System.out.println(exp.getMessage()); }%> 有没有能帮下忙写一下啊?回复人: hesi726(hesi) ( ) 信誉:98 2005-04-19 11:36:00 得分: 0 很明显,你的 conn me 没有 prepareStatement 方法。那么,另外一个方法就是对传入的参数进行替换把 ' 替换成 '' 即可以解决你的问题.. 那么我没有preparestatement怎么加上去啊/ =======================================================================================================================================================================================================================================================================================================================================================================在此还问一个问题其它就不问了.=================================================================================为什么我一用replace,replaceAll,prepareStatement============就会出错.出错的信息就是提示用到这几个东东出错=========不用就没有错误,是不是我应该加什么叉烧包,面包之类的啊================================================================================我用jdk1.4与Tomcat5.0======================================================================================================================================= 唉!~!!!(第二次做Jsp)我的:conn.java===================下面代码,有些地方不明白是什么意思,我只是拷别人的来用.====package taiping;import java.util.*;import java.sql.*;import java.io.*;public class conn{ Connection con; ResultSet rs=null; Statement stmt=null; String driver=""; String url=""; String user=""; String password=""; public conn() { try { InputStream fis =getClass().getResourceAsStream("db.properties"); Properties ps=new Properties(); ps.load(fis); driver=ps.getProperty("driver"); url=ps.getProperty("url"); user=ps.getProperty("username"); password=ps.getProperty("password"); Class.forName(driver); } catch (java.lang.ClassNotFoundException e) {System.err.println("DataConnectionDrever:"+e.getMessage());} catch (Exception e){System.out.println("数据配置参数读取失败!");} } public void Insert(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(); stmt.executeUpdate(sqlstring); } catch (SQLException ex) {System.err.println("DataUpdate:"+ex.getMessage());} } public void Delete(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(); stmt.executeUpdate(sqlstring); } catch (SQLException ex) {System.err.println("DataUpdate:"+ex.getMessage());} } public ResultSet executeQuery(String sqlstring) { try { con=DriverManager.getConnection(url,user,password); stmt=con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE); rs=stmt.executeQuery(sqlstring); } catch (SQLException ex) {System.err.println("DataQuery:"+ex.getMessage());} return rs; } public void CloseConn() throws Exception { if(rs != null) rs.close(); if(stmt != null) stmt.close(); if(con != null) con.close(); }}============================================================== 哦,,没有搞过,就不知道了,jsp服务器,不能自动隐藏一些错误信息么? javamail 解析邮件内容报错 hibernate问题急!!请教各位高手 xmlHttpRequest打开xml后,如何更改xml的节点内容 急救:怎么解决大量图片显示时报错????!!!! mysql中查询当前记录的下10条记录的语句怎么写啊? 送分!欢迎加入java群11953652 (加入前看帖子内容~~sry。。) 如何用java实现新闻采集? 文件上传Bean----急求(在线期盼)~~ java server 2.3 在那兒下載 springmvc请求不到路径怎么回事 错误怎么改啊? 帮帮忙!!! 用javabean搞mysql分页碰到了问题。大家进来。。。
<jsp:useBean id="conn" scope="page" class="xx.conn"/>
index.jsp===========================改前==========================
<%
String user_name=request.getParameter("user_name");
String pwd=request.getParameter("pwd");
String sql="select * from corp_members where user_name='"+user_name+"'";
rs=conn.executeQuery(sql);
%>
===================================改后==========================
<%
String user_name=request.getParameter("user_name");
String pwd=request.getParameter("pwd");
ResultSet rs;
String sql="select * from corp_members where user_name=?";
提示 PreparedStatement pstmt=conn.prepareStatement(sql);
conn错
pstmt.setString(1,user_name);
rs=pstmt.executeQuery();
%>
operation.jsp=======我该怎么样改========================================================
<%
String subcategory_id=request.getParameter("subcategory_id");
String input=request.getParameter("input"); ResultSet rs;
String sql=null; if(input!=null)
{
String input2=new String (input.getBytes("ISO-8859-1"));
sql="select * from news where subcategory_id="+subcategory_id+" and title like '%"+input2+"%' order by news_id desc";
}
else
{
sql="select * from news where subcategory_id="+subcategory_id+" order by news_id desc";
}
rs=conn.executeQuery(sql);
%>======================================================================求解决SQL注入式漏洞的方法.以及,数据库中某张表不存在时,打开页面,不能让它产生错误提示.========================================================================conn.class文件.(db.properties是数据库链接文件.未改任何情况下.是可以运行的.)
---------------------------------------
package xx;import java.util.*;
import java.sql.*;
import java.io.*;public class conn
{
Connection con;
ResultSet rs=null;
Statement stmt=null;
String driver="";
String url="";
String user="";
String password=""; public conn()
{
try
{
InputStream fis =getClass().getResourceAsStream("db.properties");
Properties ps=new Properties();
ps.load(fis);
driver=ps.getProperty("driver");
url=ps.getProperty("url");
user=ps.getProperty("username");
password=ps.getProperty("password");
Class.forName(driver);
}
catch (java.lang.ClassNotFoundException e)
{System.err.println("DataConnectionDrever:"+e.getMessage());}
catch (Exception e){System.out.println("数据配置参数读取失败!");}
}
public void Insert(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement();
stmt.executeUpdate(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataUpdate:"+ex.getMessage());}
} public void Delete(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement();
stmt.executeUpdate(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataUpdate:"+ex.getMessage());}
} public ResultSet executeQuery(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
rs=stmt.executeQuery(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataQuery:"+ex.getMessage());}
return rs;
} public void CloseConn() throws Exception
{
if(rs != null)
rs.close();
if(stmt != null)
stmt.close();
if(con != null)
con.close();
}
}
那么,另外一个方法就是对传入的参数进行替换
把 ' 替换成 '' 即可以解决你的问题..
rs=conn.executeQuery(sql); user_name 传入 aa' or 1=1 替换成 aa'' or 1=1
再执行,这时就没有这个问题了啊
晕啊
你就直接分析字符串吧
判断是不是存在"and "
如果存在就不查询直接报错
当然谁把密码设置成包含那个字符串的谁倒霉
<%
int userid;
String username;try {
Class.forName("com.microsoft.jdbc.sqlserver.SQLServerDriver").newInstance();
Connection con = java.sql.DriverManager.getConnection("jdbc:microsoft:sqlserver://192.168.0.118:1433;DatabaseName=TEST",
"sa", "123456"); String sql = "select user_id,user_realname from t_user where user_id=?"; PreparedStatement pstmt = con.prepareStatement(sql);
pstmt.setInt(1,40);//40实际上是参数,只是我偷懒直接用一个数字,测试一下功能
ResultSet rst = pstmt.executeQuery();while(rst.next())
{
//根据需要取出字段
userid=rst.getInt("user_id");
username=rst.getString("user_realname");
……//其他处理 } rst.close();
pstmt.close();
con.close();
}
catch (Exception exp) {
System.out.println(exp.getMessage());
}
%>
回复人: hesi726(hesi) ( ) 信誉:98 2005-04-19 11:36:00 得分: 0
很明显,你的 conn me 没有 prepareStatement 方法。
那么,另外一个方法就是对传入的参数进行替换
把 ' 替换成 '' 即可以解决你的问题..
那么我没有preparestatement怎么加上去啊/
==========================================================
==========================================================
==========================================================
==========================================================
==========================================================
===========在此还问一个问题其它就不问了.==================
==========================================================
=====为什么我一用replace,replaceAll,prepareStatement======
======就会出错.出错的信息就是提示用到这几个东东出错=======
==不用就没有错误,是不是我应该加什么叉烧包,面包之类的啊====
==========================================================
==================我用jdk1.4与Tomcat5.0===================
==========================================================
==========================================================
我的:conn.java
===================下面代码,有些地方不明白是什么意思,我只是拷别人的来用.====
package taiping;import java.util.*;
import java.sql.*;
import java.io.*;public class conn
{
Connection con;
ResultSet rs=null;
Statement stmt=null;
String driver="";
String url="";
String user="";
String password=""; public conn()
{
try
{
InputStream fis =getClass().getResourceAsStream("db.properties");
Properties ps=new Properties();
ps.load(fis);
driver=ps.getProperty("driver");
url=ps.getProperty("url");
user=ps.getProperty("username");
password=ps.getProperty("password");
Class.forName(driver);
}
catch (java.lang.ClassNotFoundException e)
{System.err.println("DataConnectionDrever:"+e.getMessage());}
catch (Exception e){System.out.println("数据配置参数读取失败!");}
}
public void Insert(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement();
stmt.executeUpdate(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataUpdate:"+ex.getMessage());}
} public void Delete(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement();
stmt.executeUpdate(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataUpdate:"+ex.getMessage());}
} public ResultSet executeQuery(String sqlstring)
{
try
{
con=DriverManager.getConnection(url,user,password);
stmt=con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
rs=stmt.executeQuery(sqlstring);
}
catch (SQLException ex)
{System.err.println("DataQuery:"+ex.getMessage());}
return rs;
} public void CloseConn() throws Exception
{
if(rs != null)
rs.close();
if(stmt != null)
stmt.close();
if(con != null)
con.close();
}
}
==============================================================