我写了一个小的Spring MVC应用程序 - 安全漏洞扫描显示SQL注入。请告诉我问题在哪里以及如何解决。
下面是我的JSP和java代码。
<form:form method="POST" action="/app/save.html">
<table>
<tr>
<td><form:label path="id">Employee ID:</form:label></td>
<td><form:input path="id" value="${employee.id}"
readonly="true" /></td>
</tr>
<tr>
<td><form:label path="name">Employee Name:</form:label></td>
<td><form:input path="name" value="${employee.name}" /></td>
</tr>
<tr>
<td><form:label path="age">Employee Age:</form:label></td>
<td><form:input path="age" value="${employee.age}" /></td>
</tr>
<tr>
<td><form:label path="salary">Employee Salary:</form:label></td>
<td><form:input path="salary" value="${employee.salary}" /></td>
</tr>
<tr>
<td><form:label path="address">Employee Address:</form:label></td>
<td><form:input path="address" value="${employee.address}" /></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Submit" /></td>
</tr>
</table>
</form:form>
<c:if test="${!empty employees}">
<h2>List Employees</h2>
<table align="left" border="1">
<tr>
<th>Employee ID</th>
<th>Employee Name</th>
<th>Employee Age</th>
<th>Employee Salary</th>
<th>Employee Address</th>
<th>Actions on Row</th>
</tr>
<c:forEach items="${employees}" var="employee">
<tr>
<td><c:out value="${employee.id}" /></td>
<td><c:out value="${employee.name}" /></td>
<td><c:out value="${employee.age}" /></td>
<td><c:out value="${employee.salary}" /></td>
<td><c:out value="${employee.address}" /></td>
<td align="center"><a href="edit.html?id=${employee.id}">Edit</a>
</td>
</tr>
</c:forEach>
</table>
</c:if>
控制器文件。
@RequestMapping(value = "/save", method = RequestMethod.POST)
public ModelAndView saveEmployee(@ModelAttribute("command") EmployeeBean employeeBean
, BindingResult result) {
Employee employee = prepareModel(employeeBean);
employeeService.addEmployee(employee);
return new ModelAndView("redirect:/add.html");
}
@RequestMapping(value = "/add", method = RequestMethod.GET)
public ModelAndView addEmployee(@ModelAttribute("command") EmployeeBean employeeBean
, BindingResult result) {
Map < String, Object > model = new HashMap < String, Object > ();
model.put("employees", prepareListofBean(employeeService.listEmployeess()));
return new ModelAndView("addEmployee", model);
}
private Employee prepareModel(EmployeeBean employeeBean) {
Employee employee = new Employee();
employee.setEmpAddress(employeeBean.getAddress());
employee.setEmpAge(employeeBean.getAge());
employee.setEmpName(employeeBean.getName());
employee.setSalary(employeeBean.getSalary());
employee.setEmpId(employeeBean.getId());
employeeBean.setId(null);
return employee;
}
private List < EmployeeBean > prepareListofBean(List < Employee > employees) {
List < EmployeeBean > beans = null;
if (employees != null && !employees.isEmpty()) {
beans = new ArrayList < EmployeeBean > ();
EmployeeBean bean = null;
for (Employee employee: employees) {
bean = new EmployeeBean();
bean.setName(employee.getEmpName());
bean.setId(employee.getEmpId());
bean.setAddress(employee.getEmpAddress());
bean.setSalary(employee.getSalary());
bean.setAge(employee.getEmpAge());
beans.add(bean);
}
}
return beans;
}
private EmployeeBean prepareEmployeeBean(Employee employee) {
EmployeeBean bean = new EmployeeBean();
bean.setAddress(employee.getEmpAddress());
bean.setAge(employee.getEmpAge());
bean.setName(employee.getEmpName());
bean.setSalary(employee.getSalary());
bean.setId(employee.getEmpId());
return bean;
}
DAO实施
@Repository("employeeDao")
public class EmployeeDaoImpl implements EmployeeDao {
@Autowired
private SessionFactory sessionFactory;
public void addEmployee(Employee employee) {
sessionFactory.getCurrentSession()
.saveOrUpdate(employee);
}
模型类
@Entity
@Table(name = "Employee")
public class Employee implements Serializable {
private static final long serialVersionUID = -723583058586873479 L; {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "empid")
private Integer empId;
@Column(name = "empname")
private String empName;
@Column(name = "empaddress")
private String empAddress;
@Column(name = "salary")
private Long salary;
@Column(name = "empAge")
private Integer empAge;
}
}