SQL注入已修复,但查询不工作-Spring MVC
我在IF部分修复了Sql注入,由于IF和ELSE部分的参数数量不同,我将IF..ELSE分解为两个函数,但不幸的是,我的查询不起作用。有人有建议吗SQL注入已修复,但查询不工作-Spring MVC,spring,spring-mvc,spring-jdbc,Spring,Spring Mvc,Spring Jdbc,我在IF部分修复了Sql注入,由于IF和ELSE部分的参数数量不同,我将IF..ELSE分解为两个函数,但不幸的是,我的查询不起作用。有人有建议吗 if (prevContactSeq==null) { contactQuery.append("Insert into contacttable("); contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Ph
if (prevContactSeq==null)
{
contactQuery.append("Insert into contacttable(");
contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
contactQuery.append("Values("+ contactSeq+ "," + Id + ",'" + lastName + "','"+ firstName + "','WEB',"+ Long.parseLong(contactresult) + ","+ Long.parseLong(alternatecontactresult) + ")");
//+ updateFields + " where id = " + tId;
logClient.debug("Insert Query " + contactQuery.toString());
System.out.println("RContact Insertion Query "+contactQuery.toString());
}
else
{
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=" + Long.parseLong(contactresult) + ",");
contactQuery.append(" phone2 =" + Long.parseLong(alternatecontactresult));
contactQuery.append(" Where contactSeq="+ prevContactSeq);
contactQuery.append(" And id=" + Id);
System.out.println("Contact Update Query "+contactQuery.toString());
}
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString());
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
我这样做是为了修复问题,但查询不起作用:
if (prevContactSeq == null) {
update= insertContact(firstName,Id, contactresult,
alternatecontactresult, contactSeq,lastName);
}
else
{
update= updateContact(Id, contactresult,
alternatecontactresult, prevContactSeq);
}
return update;
}
private int updateContact(int Id,
String contactresult, String alternatecontactresult,
Integer prevContactSeq) {
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=Long.parseLong(?),");
contactQuery.append(" phone2 =Long.parseLong(?)");
contactQuery.append(" Where contactSeq=?");
contactQuery.append(" And id=?");
System.out.println("Contact Update Query "+contactQuery.toString());
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString(), new Object[] {contactresult,alternatecontactresult,prevContactSeq,Id});
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
private int insertContact(String firstName, int Id,
String contactresult, String alternatecontactresult,
Integer contactSeq,String lastName) {
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Insert into contacttable(");
contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
contactQuery.append("Values( ?,?,?,?,?,Long.parseLong(?),Long.parseLong(?)");
logClient.debug("Insert Query " + contactQuery.toString());
System.out.println("Contact Insertion Query "+contactQuery.toString());
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString(), new Object[] {contactSeq,Id,lastName,firstName,"WEB",contactresult,alternatecontactresult});
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
您正在执行SQL注入,但没有正确地注入参数 您的代码需要如下更改,ParseLong应该在我们有价值的地方使用
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=?,");
contactQuery.append(" phone2 =?");
contactQuery.append(" Where contactSeq=?");
contactQuery.append(" And id=?");
动态传递的参数应该有如下解析方法
return jdbcTemplate.update(contactQuery.toString(), new Object[] {Long.parseLong(contactresult),Long.parseLong(alternatecontactresult),prevContactSeq,Id});
其他部分更改
private int updateContact(int Id,
String contactresult, String alternatecontactresult,
Integer prevContactSeq) {
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=?,");
contactQuery.append(" phone2 =?");
contactQuery.append(" Where contactSeq=?");
contactQuery.append(" And id=?");
System.out.println("Contact Update Query "+contactQuery.toString());
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString(), new Object[] {Long.parseLong(contactresult),Long.parseLong(alternatecontactresult),prevContactSeq,Id});
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
如果不确定值是否可以为null,则可以在执行
Long.parseLong
SQL没有任何Long.parseLong()函数之前添加null检查。如果contactResult(和其他参数)应该是长值而不是字符串,那么它们应该是long类型。从一开始,即调用这些方法之前,请使用适当的类型。感谢您的回复。通过使用prepared语句修复Sql注入,我做得对吗?请告知。谢谢你能在其他部分告诉我你的想法吗?我对这部分有意见。谢谢