SQL注入已修复，但查询不工作-Spring MVC_Spring_Spring Mvc_Spring Jdbc

SQL注入已修复，但查询不工作-Spring MVC

spring spring-mvc

SQL注入已修复，但查询不工作-Spring MVC,spring,spring-mvc,spring-jdbc,Spring,Spring Mvc,Spring Jdbc,我在IF部分修复了Sql注入，由于IF和ELSE部分的参数数量不同，我将IF..ELSE分解为两个函数，但不幸的是，我的查询不起作用。有人有建议吗 if (prevContactSeq==null) { contactQuery.append("Insert into contacttable("); contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Ph

我在IF部分修复了Sql注入，由于IF和ELSE部分的参数数量不同，我将IF..ELSE分解为两个函数，但不幸的是，我的查询不起作用。有人有建议吗

 if (prevContactSeq==null)
    {

        contactQuery.append("Insert into contacttable(");
        contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
        contactQuery.append("Values("+ contactSeq+ "," + Id + ",'" + lastName + "','"+ firstName + "','WEB',"+ Long.parseLong(contactresult) + ","+ Long.parseLong(alternatecontactresult) + ")");
        //+ updateFields + " where id = " + tId;
        logClient.debug("Insert Query " + contactQuery.toString()); 
        System.out.println("RContact Insertion Query "+contactQuery.toString());
    }
    else
    {


        contactQuery.append("Update contacttable ");
        contactQuery.append(" Set phone1=" + Long.parseLong(contactresult) + ",");
        contactQuery.append(" phone2 =" + Long.parseLong(alternatecontactresult));
        contactQuery.append(" Where contactSeq="+ prevContactSeq);
        contactQuery.append(" And id=" + Id);

        System.out.println("Contact Update Query "+contactQuery.toString());
    }

    try{        
        JdbcTemplate jdbcTemplate = this.getJdbcTemplate();         
        return jdbcTemplate.update(contactQuery.toString());
    }catch(DataAccessException dae){
        dae.printStackTrace();
        //error in making the database update. return 0 to identify that the     database update failed
        return 0;
    }
}

我这样做是为了修复问题，但查询不起作用：

if (prevContactSeq == null) {



        update= insertContact(firstName,Id, contactresult,
                alternatecontactresult, contactSeq,lastName);
    }
    else
    {


        update= updateContact(Id, contactresult,
                alternatecontactresult, prevContactSeq);
    }
    return update;



}

private int updateContact(int Id,
        String contactresult, String alternatecontactresult,
        Integer prevContactSeq) {

    StringBuffer contactQuery =new StringBuffer();
    contactQuery.append("Update contacttable ");
    contactQuery.append(" Set phone1=Long.parseLong(?),");
    contactQuery.append(" phone2 =Long.parseLong(?)");
    contactQuery.append(" Where contactSeq=?");
    contactQuery.append(" And id=?");

    System.out.println("Contact Update Query "+contactQuery.toString());
    try{        
        JdbcTemplate jdbcTemplate = this.getJdbcTemplate();         
        return jdbcTemplate.update(contactQuery.toString(),  new Object[] {contactresult,alternatecontactresult,prevContactSeq,Id});
    }catch(DataAccessException dae){
        dae.printStackTrace();
        //error in making the database update. return 0 to identify that the database update failed
        return 0;
}
}

private int insertContact(String firstName, int Id,
        String contactresult, String alternatecontactresult,
        Integer contactSeq,String lastName) {
    StringBuffer contactQuery =new StringBuffer();
    contactQuery.append("Insert into contacttable(");
    contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
    contactQuery.append("Values( ?,?,?,?,?,Long.parseLong(?),Long.parseLong(?)");
    logClient.debug("Insert Query " + contactQuery.toString()); 
    System.out.println("Contact Insertion Query "+contactQuery.toString());
    try{        
        JdbcTemplate jdbcTemplate = this.getJdbcTemplate();         
        return jdbcTemplate.update(contactQuery.toString(),  new Object[] {contactSeq,Id,lastName,firstName,"WEB",contactresult,alternatecontactresult});
    }catch(DataAccessException dae){
        dae.printStackTrace();
        //error in making the database update. return 0 to identify that the database update failed
        return 0;
}
}

您正在执行SQL注入，但没有正确地注入参数

您的代码需要如下更改，ParseLong应该在我们有价值的地方使用

StringBuffer contactQuery =new StringBuffer();
    contactQuery.append("Update contacttable ");
    contactQuery.append(" Set phone1=?,");
    contactQuery.append(" phone2 =?");
    contactQuery.append(" Where contactSeq=?");
    contactQuery.append(" And id=?");

动态传递的参数应该有如下解析方法

 return jdbcTemplate.update(contactQuery.toString(),  new Object[] {Long.parseLong(contactresult),Long.parseLong(alternatecontactresult),prevContactSeq,Id});

其他部分更改

private int updateContact(int Id,
        String contactresult, String alternatecontactresult,
        Integer prevContactSeq) {

    StringBuffer contactQuery =new StringBuffer();
    contactQuery.append("Update contacttable ");
    contactQuery.append(" Set phone1=?,");
    contactQuery.append(" phone2 =?");
    contactQuery.append(" Where contactSeq=?");
    contactQuery.append(" And id=?");

    System.out.println("Contact Update Query "+contactQuery.toString());
    try{        
        JdbcTemplate jdbcTemplate = this.getJdbcTemplate();         
        return jdbcTemplate.update(contactQuery.toString(),  new Object[] {Long.parseLong(contactresult),Long.parseLong(alternatecontactresult),prevContactSeq,Id});
    }catch(DataAccessException dae){
        dae.printStackTrace();
        //error in making the database update. return 0 to identify that the database update failed
        return 0;
}
}

如果不确定值是否可以为null，则可以在执行

Long.parseLong

SQL没有任何Long.parseLong（）函数之前添加null检查。如果contactResult（和其他参数）应该是长值而不是字符串，那么它们应该是long类型。从一开始，即调用这些方法之前，请使用适当的类型。感谢您的回复。通过使用prepared语句修复Sql注入，我做得对吗？请告知。谢谢你能在其他部分告诉我你的想法吗？我对这部分有意见。谢谢