我在IF部分修复了Sql注入,因为在IF和ELSE部分中参数的数量不同,我将IF..ELSE分解为两个函数但不幸的是我的查询不起作用是否有人有建议请?
if (prevContactSeq==null)
{
contactQuery.append("Insert into contacttable(");
contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
contactQuery.append("Values("+ contactSeq+ "," + Id + ",'" + lastName + "','"+ firstName + "','WEB',"+ Long.parseLong(contactresult) + ","+ Long.parseLong(alternatecontactresult) + ")");
//+ updateFields + " where id = " + tId;
logClient.debug("Insert Query " + contactQuery.toString());
System.out.println("RContact Insertion Query "+contactQuery.toString());
}
else
{
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=" + Long.parseLong(contactresult) + ",");
contactQuery.append(" phone2 =" + Long.parseLong(alternatecontactresult));
contactQuery.append(" Where contactSeq="+ prevContactSeq);
contactQuery.append(" And id=" + Id);
System.out.println("Contact Update Query "+contactQuery.toString());
}
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString());
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
我执行此修复但查询无效:
if (prevContactSeq == null) {
update= insertContact(firstName,Id, contactresult,
alternatecontactresult, contactSeq,lastName);
}
else
{
update= updateContact(Id, contactresult,
alternatecontactresult, prevContactSeq);
}
return update;
}
private int updateContact(int Id,
String contactresult, String alternatecontactresult,
Integer prevContactSeq) {
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=Long.parseLong(?),");
contactQuery.append(" phone2 =Long.parseLong(?)");
contactQuery.append(" Where contactSeq=?");
contactQuery.append(" And id=?");
System.out.println("Contact Update Query "+contactQuery.toString());
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString(), new Object[] {contactresult,alternatecontactresult,prevContactSeq,Id});
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
private int insertContact(String firstName, int Id,
String contactresult, String alternatecontactresult,
Integer contactSeq,String lastName) {
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Insert into contacttable(");
contactQuery.append("ContactSeq,ID,LastName,FirstName,ContactLabel,Phone1,Phone2)");
contactQuery.append("Values( ?,?,?,?,?,Long.parseLong(?),Long.parseLong(?)");
logClient.debug("Insert Query " + contactQuery.toString());
System.out.println("Contact Insertion Query "+contactQuery.toString());
try{
JdbcTemplate jdbcTemplate = this.getJdbcTemplate();
return jdbcTemplate.update(contactQuery.toString(), new Object[] {contactSeq,Id,lastName,firstName,"WEB",contactresult,alternatecontactresult});
}catch(DataAccessException dae){
dae.printStackTrace();
//error in making the database update. return 0 to identify that the database update failed
return 0;
}
}
答案 0 :(得分:0)
您正在进行SQL注入,但没有正确注入参数。
您的代码需要更改如下, ParseLong 应该在我们有值的地方使用
homestead provision和动态传递的参数应该有一个像下面那样的解析方法
php5-fpm: unrecognised service其他部分改变
StringBuffer contactQuery =new StringBuffer();
contactQuery.append("Update contacttable ");
contactQuery.append(" Set phone1=?,");
contactQuery.append(" phone2 =?");
contactQuery.append(" Where contactSeq=?");
contactQuery.append(" And id=?");
如果您不确定value是否为null,则可以在执行 return jdbcTemplate.update(contactQuery.toString(), new Object[] {Long.parseLong(contactresult),Long.parseLong(alternatecontactresult),prevContactSeq,Id});
之前添加null check