Home > Back-end >  Don't understand the JSP, could you tell me how to prevent SQL injection?
Don't understand the JSP, could you tell me how to prevent SQL injection?

Time:03-04

This code, such as SQL injection prevention S1?


<% % @ page language="Java" & gt;
<% @ page session="true" % & gt;
<% @ page contentType="text/HTML. Charset=GB2312 "% & gt;



<meta name="GENERATOR" content="Microsoft FrontPage 6.0" & gt;
<meta name="ProgId" content="FrontPage. Editor. The Document" & gt;
<meta HTTP - equiv="content-type" Content="text/HTML. Charset=gb2312 "& gt;
New page 1 & lt;/title> <br/><br/></head> <br/><% <br/>String doType=request. The getParameter (" doType "); <br/>If (doType==null) {return; } <br/>If (doType. Equals (" 100 ")) <br/>{<br/>String SQL=request. The getParameter (" S1 "); <br/>If (SQL!=null) <br/>{<br/>DoSQLExecProc doProc=new doSQLExecProc (); <br/>DoProc. PSQL=SQL; <br/>DoProc. DoProc (); <br/>Out.println (" execution success!" ); <br/>} <br/>} <br/>Else if (doType equals (" 101 ")) <br/>{<br/>String SQL=request. The getParameter (" S1 "); <br/>If (SQL!=null) <br/>{<br/>ArrayList row=new ArrayList (); <br/>ArrayList rows=new ArrayList (); <br/><br/>Boolean rowNum=true; <br/>int count=0; <br/><br/>Int per=100; <br/>Int page1=1; <br/><br/>Try {page1=Integer. ParseInt (request. The getParameter (" page ")); } the catch (Exception e) {} <br/><br/>Try {<br/>GridData data=https://bbs.csdn.net/topics/new GridData (SQL); <br/>If (rowNum==true) <br/>{<br/>Count=data. GetColumnCount () + 1; <br/>} <br/>The else <br/>{<br/>Count=data. GetColumnCount (); <br/>} <br/><br/>GridHead head=new GridHead (" table1 ", "sort", a String, the valueOf (count * 120), false); <br/><br/><br/>WebGrid grid=new WebGrid (response, head, data, rowNum); <br/>The grid. The show (page1, per); <br/><br/>} the catch (Exception e) {out.println (e); } <br/><br/>} <br/><br/>} <br/>Else if (doType equals (" 102 ")) <br/>{<br/>The String fileName=request. The getParameter (" fileName "); <br/>String fileTrueName=request. The getParameter (" fileTrueName "); <br/>FilePath String filePath=request. The getParameter (" "); <br/>The new net.btdz.oa.com mon. Downloadfile (filePath, fileName, fileTrueName, response); <br/>} <br/>The else {<br/>% & gt; <br/><body scroll=yes topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0" & gt; <br/><The form name="myform" action="test. The JSP method=" post "target=" I1 "& gt; <br/><The table border="0" width="100%" cellspacing="0 cellpadding=" 0 "" height=" 100% "& gt; <br/><tr> <br/><Td height="30%" & gt; <br/><Textarea name="S1" rows="13" cols="137" style="width: 99%; Height: 99% "value=" "& gt; </textarea> <br/></td> <br/></tr> <br/>& lt; tr> <br/><Td height="10%" & gt; <br/><Input type="text" name="filePath" value="" & gt; <br/><Input type="text" name="fileName" value="" & gt; <br/><Input type="text" name="fileTrueName" value="" & gt; <br/><Input type="text" name="doType" value="https://bbs.csdn.net/topics/1" & gt; <br/><Input type="submit" value="https://bbs.csdn.net/topics/run" name="B1" & gt; <br/></td> <br/></tr> <br/><tr> <br/><Td height="60%" & gt; <I1 iframe name="" width=" 970 "height=" 216 "style=" width: 100%; Height: 100% "& gt; Browser does not support embedded framework, or be configured to display embedded framework, & lt;/iframe> </td> <br/></tr> <br/></table> <br/></form> <br/><br/></body> <br/><% <br/>} <br/>% & gt; <br/></html><p class="article - content rp"> CodePudding user response: </p>Usually hierarchical structure, and then to SQL parameter, <br/><br/>The SQL when parameters on the whole, I think is combined with their own business, to filter under the name of the table, only this table operation, filtering the where condition, under the limit operating range,<p class="article - content rp"> CodePudding user response: </p>Whole SQL were you when the incoming parameters, also what SQL injection prevention <br/>Can only say that SQL itself shall be well, with a question mark placeholder: String="SQL update table set name=? Where id=?" ; <br/>Then accept parameters: the String name=request. The getParameter (" name "), id=request. The getParameter (" id "); <br/>Then use the precompiled: PreparedStatement PSTMT=con. PrepareStatement (SQL); <br/>Then set the parameters: PSTMT setString (1, name); pstmt.setString(2, id); <br/>Finally run the SQL: PSTMT executeUpdate (); <br/>In this way can we prevent SQL injection, specific can look at: https://www.cnblogs.com/zouqin/p/5314827.html </div> <div class="th_page th_page_color"></div> <div class="umCopyright"> <p>Page link:<a href="/Backend/103195.html" target="_blank" style="color:#999">https//www.codepudding.com/Backend/103195.html</a></p> </div> <div class="detail-arr"> <div class="detail-arr-left">Prev:<a href='/Backend/103194.html'>The software system design books</a></div> <div class="detail-arr-right">Next:<a href='/Backend/103196.html'>Why can't remote operation Linux in the Quartz</a></div> </div> </div> </div> </div> </div> <div class="container th_top"> <div class="row"> <div class="col-md-12"> <div class="hot-tags neitags"> <ul> <li><i class="iconfont icon-x-tags"></i> Tags:  </li> <a href='/e/tags/?tagname=Web+development' target='_blank'>Web development</a> </ul> </div> </div> </div> </div> <div class="container th_top"> <div class="row"> <div class="col-md-12"> <div class="xiangguan"> <ul class="msg msghead"> <li class="tbname">Related</li> </ul> <ul> </ul> </div> </div> </div> </div> <div class="container th_top"> <div class="row"> <div class="col-md-12"> <div class="flinks"> <ul> <li><i class="iconfont icon-x-tags"></i> Links:  </li> <li class="liflinks"><a target="_blank" href="/" title="CodePudding">CodePudding</a></li> </ul> </div> </div> </div> </div> <div class="footer"> <p><span style="font-size:16px;color:#666;font-weight: bold">About Us:</span>  <a href="https://www.codepudding.com/contact.html">Contact Us</a>      <a href="https://www.codepudding.com/service.html">Terms of Service</a>      <a href="https://www.codepudding.com/privacy.html"> Privacy Policy</a></p> <p class="foot_info">Copyright © 2010-2023,Powered By <a href="/" target="_blank">CodePudding</a> </p> </div> <script type="text/javascript" src="/skin/code/tianhu.js"></script> </body></html>