现有一项目,自己用啊D注入工具检测,很容易的获取了数据库中内容。
项目关键代码片段:package cn.vangdo.plastic.opendb;
import java.sql.*;
import java.util.*;import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.sql.DataSource;public class DB
{
private String jndiName = null;
private Connection conn = null;
private PreparedStatement psmt = null;
private ResultSet rs = null;
private ResultSetMetaData rsmd = null; /**
*DbOperation(),构造函数,默认非事务模式
*/
public DB(){
//jndiName = "java:comp/env/dbbbsJNDI";
jndiName = "java:comp/env/www_plastic_2006/jdbcmssql";
boolean isConnValid = false;
try {
Context ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup(jndiName);
conn = ds.getConnection();
} catch (NamingException e) {
System.out.println(
"Can not find JNDI Name, datesource configuration error!");
} catch (SQLException e) {
System.out.println("Can not connect to database, please check the path and the username and the password!" + e.getMessage());
}
}
public HashMap queryOne(String strSql) throws SQLException {
HashMap ht = new HashMap();
this.psmt = null;
this.rs = null;
this.rsmd = null;
try{
this.psmt = this.conn.prepareStatement(strSql);
this.rs = this.psmt.executeQuery();
this.rsmd = this.rs.getMetaData();
}catch(SQLException e){
if(this.conn.getAutoCommit())
this.close();
throw new SQLException(this.MakeErrMsg(strSql,e));
}
int columnCount = this.rsmd.getColumnCount();
try{
if (this.rs.next()) {
for (int i = 1; i <= columnCount; i++) {
Object obj = this.rs.getObject(i);
if (obj != null){
String temp=obj.toString().trim();
ht.put(this.rsmd.getColumnName(i),temp);
}else{
String nuller = "";
ht.put(this.rsmd.getColumnName(i),nuller);
}
}
}
}catch(SQLException e){
this.rs.close();
this.psmt.close();
if(this.conn.getAutoCommit())
this.close();
throw e;
}
this.rs.close();
this.psmt.close();
return ht;
}
/**
* 关闭数据库连接,在一个数据库连接关闭后必须调用
*/
public void close() {
try{
if(this.conn != null && this.conn.isClosed() == false)
this.conn.close();
}catch(SQLException e){
e.printStackTrace();
}
if(this.rsmd != null)
this.rsmd = null;
if(this.rs != null)
this.rs = null;
if(this.psmt != null)
this.psmt = null;
if(this.conn != null)
this.conn = null;
}
public Connection getConnection()
{
return this.conn;
}
}package cn.vangdo.journal.gonggao;import java.util.HashMap;import cn.vangdo.plastic.opendb.DB;public class GongGaoManage {
StringBuffer sbSql = null;
/**
* 获取一条公告信息
* @param strUserId
* @return
* @throws Exception
*/
public HashMap getOneGongGao(String gonggaoid)throws Exception{
HashMap returnHm = null;
sbSql = new StringBuffer();
sbSql.append("SELECT ID,PopedomName,gonggaocontent,CreatedBy,CreatedDate ")
.append("FROM gonggao ")
.append("WHERE ID = '")
.append(gonggaoid)
.append("'");
DB db=new DB();
try{
returnHm = db.queryOne(sbSql.toString());
db.close();
}catch(Exception e){
db.close();
throw new Exception(e);
}finally{
db.close();
}
return returnHm;
}
}
项目关键代码片段:package cn.vangdo.plastic.opendb;
import java.sql.*;
import java.util.*;import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.sql.DataSource;public class DB
{
private String jndiName = null;
private Connection conn = null;
private PreparedStatement psmt = null;
private ResultSet rs = null;
private ResultSetMetaData rsmd = null; /**
*DbOperation(),构造函数,默认非事务模式
*/
public DB(){
//jndiName = "java:comp/env/dbbbsJNDI";
jndiName = "java:comp/env/www_plastic_2006/jdbcmssql";
boolean isConnValid = false;
try {
Context ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup(jndiName);
conn = ds.getConnection();
} catch (NamingException e) {
System.out.println(
"Can not find JNDI Name, datesource configuration error!");
} catch (SQLException e) {
System.out.println("Can not connect to database, please check the path and the username and the password!" + e.getMessage());
}
}
public HashMap queryOne(String strSql) throws SQLException {
HashMap ht = new HashMap();
this.psmt = null;
this.rs = null;
this.rsmd = null;
try{
this.psmt = this.conn.prepareStatement(strSql);
this.rs = this.psmt.executeQuery();
this.rsmd = this.rs.getMetaData();
}catch(SQLException e){
if(this.conn.getAutoCommit())
this.close();
throw new SQLException(this.MakeErrMsg(strSql,e));
}
int columnCount = this.rsmd.getColumnCount();
try{
if (this.rs.next()) {
for (int i = 1; i <= columnCount; i++) {
Object obj = this.rs.getObject(i);
if (obj != null){
String temp=obj.toString().trim();
ht.put(this.rsmd.getColumnName(i),temp);
}else{
String nuller = "";
ht.put(this.rsmd.getColumnName(i),nuller);
}
}
}
}catch(SQLException e){
this.rs.close();
this.psmt.close();
if(this.conn.getAutoCommit())
this.close();
throw e;
}
this.rs.close();
this.psmt.close();
return ht;
}
/**
* 关闭数据库连接,在一个数据库连接关闭后必须调用
*/
public void close() {
try{
if(this.conn != null && this.conn.isClosed() == false)
this.conn.close();
}catch(SQLException e){
e.printStackTrace();
}
if(this.rsmd != null)
this.rsmd = null;
if(this.rs != null)
this.rs = null;
if(this.psmt != null)
this.psmt = null;
if(this.conn != null)
this.conn = null;
}
public Connection getConnection()
{
return this.conn;
}
}package cn.vangdo.journal.gonggao;import java.util.HashMap;import cn.vangdo.plastic.opendb.DB;public class GongGaoManage {
StringBuffer sbSql = null;
/**
* 获取一条公告信息
* @param strUserId
* @return
* @throws Exception
*/
public HashMap getOneGongGao(String gonggaoid)throws Exception{
HashMap returnHm = null;
sbSql = new StringBuffer();
sbSql.append("SELECT ID,PopedomName,gonggaocontent,CreatedBy,CreatedDate ")
.append("FROM gonggao ")
.append("WHERE ID = '")
.append(gonggaoid)
.append("'");
DB db=new DB();
try{
returnHm = db.queryOne(sbSql.toString());
db.close();
}catch(Exception e){
db.close();
throw new Exception(e);
}finally{
db.close();
}
return returnHm;
}
}
sbSql = new StringBuffer();
sbSql.append("SELECT ID,PopedomName,gonggaocontent,CreatedBy,CreatedDate ")
.append("FROM gonggao ")
.append("WHERE ID = '")
.append(gonggaoid)
.append("'");
不要去拼写SQL语句就好了
sbSql.append("SELECT ID,PopedomName,gonggaocontent,CreatedBy,CreatedDate ")
.append("FROM gonggao ")
.append("WHERE ID = '")
.append(gonggaoid)
.append("'");
不好意思,麻烦介绍一下怎么不用拼写sql语句,而改用预编译方式???
public HashMap queryOne(String gonggaoid) throws SQLException {
HashMap ht = new HashMap();
this.psmt = null;
this.rs = null;
this.rsmd = null;
try{
this.psmt = this.conn.prepareStatement("select id,popedomName,gonggaocontent,createBy,createDate from gonggao where id = ?");
this.psmt.setString(1,gonggaoid);
this.rs = this.psmt.executeQuery();
this.rsmd = this.rs.getMetaData();
}catch(SQLException e){
if(this.conn.getAutoCommit())
this.close();
throw new SQLException(this.MakeErrMsg(strSql,e));
}
int columnCount = this.rsmd.getColumnCount();
try{
if (this.rs.next()) {
for (int i = 1; i <= columnCount; i++) {
Object obj = this.rs.getObject(i);
if (obj != null){
String temp=obj.toString().trim();
ht.put(this.rsmd.getColumnName(i),temp);
}else{
String nuller = "";
ht.put(this.rsmd.getColumnName(i),nuller);
}
}
}
}catch(SQLException e){
this.rs.close();
this.psmt.close();
if(this.conn.getAutoCommit())
this.close();
throw e;
}
this.rs.close();
this.psmt.close();
return ht;
}
psmt.setString
psmt.setint
psmt.setxxx
我从网上找了一个过滤器,大家帮忙看看可以防止sql注入吗?在web.xml中加入
<filter>
<filter-name>Sqlurl</filter-name>
<filter-class>cn.vangdo.plastic.opendb.sddd1</filter-class>
<init-param>
<param-name>forward</param-name>
<param-value>/Sql500.jsp</param-value>
</init-param>
<init-param>
<param-name>sql</param-name>
<param-value>'|and|exec|execute|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,|like</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Sqlurl</filter-name>
<url-pattern>/jobEntMemberManage/EnterprisesUI/resume/searchover.jsp</url-pattern>
</filter-mapping>
程序代码为
package cn.vangdo.plastic.opendb;import java.io.IOException;
import java.util.Enumeration;import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;public class sddd1 implements Filter{
private static String web_xml_url;
private static String forward;
/**
* URL过滤,true为合法 false为非法
* @return
*/
public static boolean UrlFile(HttpServletRequest request)
{
//转义字符
String web_xml[]=web_xml_url.split("\\|");
StringBuffer str;
String st[];
StringBuffer keyName;
Enumeration enu=request.getParameterNames();
while(enu.hasMoreElements())
{
keyName=new StringBuffer((String)enu.nextElement());
if(request.getParameter(keyName.toString())!=null)
{
str=new StringBuffer(request.getParameter(keyName.toString()));
for(int i1=0;i1<web_xml.length;i1++)
{
if(str.lastIndexOf(web_xml[i1])!=-1)
{
return false;
}
}
}
else if(request.getParameterValues(keyName.toString())!=null)
{
st=request.getParameterValues(keyName.toString());
for(int i=0;i<st.length;i++)
{
for(int j=0;j<web_xml.length;j++)
{
if(st[i].lastIndexOf(web_xml[j])!=-1)
{
return false;
}
}
}
}
}
return true;
} public void destroy() {
// TODO Auto-generated method stub
} public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
boolean boo=sddd1.UrlFile((HttpServletRequest)request);
if(boo==false)
{
request.getRequestDispatcher(forward).forward(request, response);
}
else
{
chain.doFilter(request, response);
}
// TODO Auto-generated method stub
} public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
this.web_xml_url=filterConfig.getInitParameter("sql");
this.forward=filterConfig.getInitParameter("forward");
System.out.println(web_xml_url);
} public static String getWeb_xml_url() {
return web_xml_url;
} public static void setWeb_xml_url(String web_xml_url) {
sddd1.web_xml_url = web_xml_url;
} public static String getForward() {
return forward;
} public static void setForward(String forward) {
sddd1.forward = forward;
} }
我想知道,有没有什么简单点的方式可以解决,比如加过滤器什么的!