JSP基本登录模块(防SQL注入攻击)

 在JSP基本登录模块Ⅳ中，如果在密码栏输入“' or '1'='1”，我们发现不知道密码也可以登录成功。51Testing软件测试网)l;l.rT NpQ'Q6l
这是因为当我们的密码为“' or '1'='1”时，SQL语句变为：
#hq1xLa;w0Select * FROM member Where username='magci' and password='' or '1'='1'
,Iv%EJ3C
n O Rw0'1'='1'是永真的，这条SQL语句是能通过验证的。
y8x{ Q9Q{z0U?0这就是SQL注入攻击。
z/q^&qb A"z0
)k!O6Bd|0为了防止SQL注入攻击，可以使用PraparedStatement对象操作数据库。51Testing软件测试网$b:_ Sv(N
改进后的登录模块如下：
2xx:nKEQ5xr#wf051Testing软件测试网w2?+sk8Y+j$~T
附加功能：防止SQL注入攻击51Testing软件测试网 K7F&h
R$ym2cL

!?@2U0q@1~?&~Og%X0登录模块至少需要以下几个页面：
W o+Q6Y5k/{@;l01.检查Cookie页面(index.jsp)；
*@
vVkwqVso02.输入用户信息页面(login.jsp)；
+Xkz5k(m7e7eW03.用户合法性验证页面(check.jsp)；
P[wHeb04.登录成功欢迎页面(pass.jsp)（检查Session设置）；51Testing软件测试网4R2Szb+N'Y
5.登录失败提示页面(failure.jsp)；
7YGQm0XQQH06.注销登录页面(logout.jsp)。
*WC A/|Y)p0
Q!i ~8s[x0数据库：member.mdb51Testing软件测试网3?^9Zi+r&tmM
51Testing软件测试网*y c7l"tv
51Testing软件测试网m@ju|q,o
结构图：51Testing软件测试网S[&~ g2V^`&p
51Testing软件测试网9o.p9_iY5~KDJS'm
---------------------------------------------------------------------51Testing软件测试网'|M)gW e `

QKC;r k L0                 index.jsp51Testing软件测试网d%ir[;au&Hk/QV
                       |
Es8HJ8}5AS0                       |判断Cookie中有无用户名、密码
,}BEe?(i0          ----------------------51Testing软件测试网$k#q}KJe
          |   Y                 N  |51Testing软件测试网x'B0u-k9R2v5@ f
          |                          V
Y1@3Wm4d X0          |                      login.jsp<--------------------51Testing软件测试网"xC/XM9e2nn
          |                          |输入用户名、密码           |
!]4o-D`8xFpS0          |                          V                                  |
Xx'\;@#P0          ---------------->check.jsp                           |
/KF7S {2jLD0                                      |查询用户名、密码          |
6E6lD9oDD3m0                                      V                                  |51Testing软件测试网'G|"Q,~-QKs``
                               member.mdb                      |
Co~&W3If7O8e0                                      |返回结果                      |
y7` AeD
bL | l\0                                      V                                  |51Testing软件测试网)hM}'zr6XX2d
                                 check.jsp                          |
LG,~5XKi`J0                                      |判断用户是否合法          |
v\}RtC3^/SBf&O4D0                          ---------------------                     |
m9Nh DC0                          |  Y                N  |                     |
E"DB Q ?0                          V                       V                    |
6e3AqWCg6l0                      pass.jsp           failure.jsp------->|51Testing软件测试网lSQov V;y
                          |                                              |51Testing软件测试网 Q
v:i0bs3wo
                          | 检查session是否含有用户名      |51Testing软件测试网4B8c6Gw tU^.Ii
                -----------------                                    |51Testing软件测试网&I,x
I _a
                | Y             N |                                    |51Testing软件测试网,Zj9sfP8VZZ!@\
                V                  V                                   |
rl-[7O"Z7KZ3O*?'H0B0           pass.jsp          跳转------------------------->|51Testing软件测试网$C1l+i0q4KgR
                |                                                        |
hE)J%rgEO9v/v0                |注销                                                  |
9?9a2}cfwT6?
~A0O0                V                                                       |
iq$M9SA0          logout.jsp------------------------------------>|51Testing软件测试网3oV+U4Qa};yG[e
51Testing软件测试网)tp3w5JK]&l
---------------------------------------------------------------------51Testing软件测试网{F#TNcQ

-ukh|,fz Y4J2wRr0index.jsp:

程序代码

J8N*xpeq ^0<%@ page contentType="text/html;charset=GB2312" %>
7Ny#^|["S0<html>51Testing软件测试网,| ~.|figw
  <head>
+R` Cp:n,H&D"Z0    <title>index</title>51Testing软件测试网yx3X k.vIl(Ox
  </head>
FXf X\lG0  51Testing软件测试网7hvS gS
  <body>
XR+Doq
V8@ q0    <%
5l,A4D u|0        int i;51Testing软件测试网!G$EOI3`4Gm6E-x6fk7v
        //初始化,用于保存Cookie中的用户名、密码51Testing软件测试网1~.dgG\+K"m7W
        String C_username="";51Testing软件测试网dT A#GBA@(H%s k
        String C_password="";51Testing软件测试网%``#_g/J
        //获取全部Cookie51Testing软件测试网_ E!{9d`Y{
        Cookie c[]=request.getCookies();
.X
X"|"pf5P*Ix3K0        for(i=0;i<c.length;i++)51Testing软件测试网`3GRB ww Q7F L
        {
"m1sc`.m"x0            //在Cookie中查找用户名、密码，如果找到，则分别将其赋值给用户名、密码变量
8p0Cr'u\D;B8o$k0            if("username".equals(c[i].getName()))
6J-z*i `.a[:Pir4@0                C_username=c[i].getValue();
.jnjH/V-C'n3gQO+B0            if("password".equals(c[i].getName()))51Testing软件测试网;r$l%x:G\Xp&?r%kL
                C_password=c[i].getValue();
S?z BO o Y{0        }
2ZTr2J dD/WL%dq0        if(!"".equals(C_username) && !"".equals(C_password))51Testing软件测试网T$G
}CXwW{;P [$D
        {
Y"`/Z3h
i-KcL0xpJ0            //Cookie中有用户名、密码,将用户名、密码提交到验证页面
u"`$w7d{0H`$X8V0            response.sendRedirect("check.jsp?username="+C_username+"&password="+C_password);
(s.VvD;UU0        }51Testing软件测试网n,vc]So+F
        else
S$Q:?8^D7s0        {
l tM cuj/k3N]z0        //Cookie中没有用户名、密码，跳转到登录页面51Testing软件测试网
[P!w[;wQ6bL[y}
    %>
`!a%kJ-_K6Yt]0        <jsp:forward page="login.jsp" />51Testing软件测试网6Ip-I0P2Z
    <%
TAZ'lzeiL.N0        }
2U)ey'V"Y'_nU0    %>
V?,iZ2X7`b~(x0  </body>
$I D:J2|a+Uf|o0</html>
7l g6]%FP{#T0V:D0

)m uL
mY0
va3fz-w,o6W i051Testing软件测试网ULk*JR3?9xk
login.jsp:

程序代码

p;A1u]:z&v4^m9@m0<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网u;k'_2i} z2J
L
<html>
/~L/z}$zR7tvu\0  <head>51Testing软件测试网
_aTL/C4I~;@5t
    <title>登录</title>
bJ0O w7}Zw6c1~0  </head>
O^uTb6J5H0  51Testing软件测试网UPJS6q}eM
  <body>

}`G S*cFBM$@0      <center>
`!{{n[7}(]0      <h1>登录页面</h1>51Testing软件测试网@[5QV U*J9i
      <hr>
t5Y8I5v/YT9kf&V
S0    <form action="check.jsp" method="post">
\l*{@)_k2mM0        <table>51Testing软件测试网
R4H,|I1p#`ASd
            <tr>
6~v;{B*y1l0                <td>用户名：</td>51Testing软件测试网j+Cft%p&G
                <td><input type="text" name="username" /></td>51Testing软件测试网#F0{ F W({sI
            </tr>51Testing软件测试网}Hl;mJ\'ycq1w
            <tr>
W [/{N#J;b,B)|0                <td>密  码：</td>51Testing软件测试网 v ^(p:bY8F
                <td><input type="password" name="password" /></td>51Testing软件测试网d&XC9r G,q
            </tr>51Testing软件测试网%ht']Ix*~
            <tr>51Testing软件测试网Qds OgTXX
            <td>Cookie选项：</td>
&_Sp r~v+A5O0            <td>
N'o1tP_*P-f0                <input type="radio" name="cookie" value="nosave" checked>不保存
~(d+K w3L0                <input type="radio" name="cookie" value="save">保存1分钟51Testing软件测试网L#y4krA
?M
            </td>51Testing软件测试网,qi0B l|c]`t`
            </tr>
6lW1@bC*VGu0            <tr>51Testing软件测试网Ib)j_^[|+}
                <td colspan="2" align="center">51Testing软件测试网4FE5cc6e#z:}
                    <input type="submit" value="登录" /> 51Testing软件测试网r9fw,D:q%K
                    <input type="reset" value="重置" />
'slR
Z[Z GAg0l{k0                </td>
J8_L E5@P0            </tr>51Testing软件测试网8Z#[:Y1Q:G(J
        </table>
K%|9^!t1G`0    </form>
9At2sI gr
t0    </center>51Testing软件测试网1b vHm Txu
  </body>
.h{_9a\Duo0</html>
l b(U]/Fpe0

q$mqy ?6[*n4F051Testing软件测试网 s#uSS?B-x.m Y
check.jsp:

程序代码

)m(@5x:x9rV$X0<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网~,RI6Xy+dgc
<%@ page import="java.sql.*" %>
VW,qF2ZP0<html>51Testing软件测试网1x }fE3M)LJWY
  <head>
&~I-i+D[6L0    <title>验证页面</title>
oKP6D#c zJ#J{Sk0  </head>51Testing软件测试网^}3jNfc7d;N
  51Testing软件测试网 MK)aS6JB{
  <body>
/K7T&\b2k0    <%
dN X\0@9R0        String Username=request.getParameter("username");51Testing软件测试网1h0~
k6HP*q
        String Password=request.getParameter("password");
+F6II$n8n"V0F0        String IsCookie=request.getParameter("cookie");51Testing软件测试网Ds!S
f`Tbz.Y4H4^
        //定义标志，标记是否为合法用户，true为合法，false为非法
a5^6Bm9[$G X[z#GT0        Boolean isUser=false;51Testing软件测试网sO#Q \] W&]h
        //定义数据库连接驱动51Testing软件测试网RGO2E
r i[h0X
        final String DBDRIVER="sun.jdbc.odbc.JdbcOdbcDriver";
XXs#F3}HtJ7u
O [0        //定义数据库连接地址
wLQ.e`#`&i1t0        final String DBURL="jdbc:odbc:member";51Testing软件测试网o3fT8[xqFw
        //定义变量存放SQL语句
*z1]@"c v$z*J0        String sql=null;51Testing软件测试网5z6g.\M0e:S
        //定义数据库连接对象51Testing软件测试网1m(W;ZG E
        Connection conn=null;51Testing软件测试网b/xk(AMF"[
        //定义数据库操作对象
)l7k@G(Y"KiU8B0        PreparedStatement pstmt=null;51Testing软件测试网iv1}/u*B2sHt.w
        //定义结果集
s!^(D-E9~LK,@u0        ResultSet rs=null;
+j
s7ly/e6vIpn0        try{51Testing软件测试网m7oY.Fw;bd
e([.j
            //加载数据库驱动
ooi u['p0            Class.forName(DBDRIVER);51Testing软件测试网:T?,P;NFn
            //连接数据库
Ji0C5n3z!`+c0            conn=DriverManager.getConnection(DBURL);51Testing软件测试网 zE8C2U c`;g
            //预预处SQL语句
C#q+|p5Vj?-EKK*yy@0            sql="Select * FROM member Where username=? and password=?";
)Sb6y z8e+O-IMN0            //实例化数据库操作对象
J:n:Dh5w6~9{X l+K O0            pstmt=conn.prepareStatement(sql);
C0igk)fy;N-Gw F K0            //设置psmt中“?”对应的变量
~UpE[0            pstmt.setString(1,Username);
v;W h{dr0ho0            pstmt.setString(2,Password);
-Y1Rbw/X{Mncu0            //查询数据库，返回结果集51Testing软件测试网Y7}p;SI]
T~P
            rs=pstmt.executeQuery();51Testing软件测试网7Ns5i)j4kK9eb
            if(rs.next())
7d#kj8V&izs5Q+E0            {51Testing软件测试网 @ad/K;SR"O
                //数据库中有符合的记录，合法用户51Testing软件测试网1U"Rav6@;K6nj?
                isUser=true;51Testing软件测试网f/]w8}`sE$\
            }51Testing软件测试网k#JI:OU
            //关闭结果集
J;_J3Vr7X8J8}0            rs.close();51Testing软件测试网7[XW Qy @F
            //关闭操作51Testing软件测试网A-Cu tO
            pstmt.close();51Testing软件测试网w ~D M1P}
            //关闭连接
$CX8S e)JX2u_0            conn.close();51Testing软件测试网
r9C?D G,V8f
        }51Testing软件测试网H0fk%h3h#mjA
        catch(Exception e)
/bJh#Gog%||'p&ft'^0        {
qzWy"qg"Cw/]$J0            System.out.println(e);51Testing软件测试网Bat?4V
        } 51Testing软件测试网t5s`6jA$^z
        //判断用户名、密码的合法性
a TP:s1j\(YJ0        if(isUser)
1Qb |y-z;}rA^I8MtY0        {
9C0{`'p E0            //合法用户51Testing软件测试网0r)CQ(V6Wq
            if("save".equals(IsCookie))51Testing软件测试网/}B&d#~Bc(w
            {51Testing软件测试网Q2WE4fxiY(}
                //如果选择了保存Cookie选项，则保存Cookie51Testing软件测试网}Zy'}u:M9} c'EN w$U
                Cookie c1=new Cookie("username",Username);
Hw*_/N%nq.L0                Cookie c2=new Cookie("password",Password);51Testing软件测试网5ue5AlI
HL
d
                //设置Cookie保存时间为1分钟51Testing软件测试网 DIvOk-dC
                c1.setMaxAge(60);51Testing软件测试网Xs$}*zam!o
                c2.setMaxAge(60);51Testing软件测试网J@.E~![)[ _!T
                response.addCookie(c1);51Testing软件测试网nnF,p.Q
                response.addCookie(c2);51Testing软件测试网8_QH XS g7df U
            }
*UMf,Jpk\.t0            //设置session属性51Testing软件测试网i4y"qqEY
            session.setAttribute("username",Username);
3noXg;d!l4pF#J w+C0            //跳转到欢迎页面51Testing软件测试网t4f$g1gkv
            %>51Testing软件测试网si0]Ep!s2w
            <jsp:forward page="pass.jsp"/>
^}-S:pm0            <%
nF4F/~v_$Wlj0        }
;i{ Ry1U:jLL%w0        else51Testing软件测试网3g~v7y._A]
        {
|+]y2JB A u+N&z|0            //非法用户，跳转到登录失败页面
q(|{7qO*g4|9]_9`_0            %>
1K/w3GP}u0            <jsp:forward page="failure.jsp" />51Testing软件测试网 bz'P*f!G!d
            <%
8@#j5V&G_j0        }51Testing软件测试网7?tHlF/US a7J^G
    %>
2R)cJFj[
?v0  </body>
"{;] Q{K+{:IO0</html>
,D|*~ \2?%E @.lxX0

!IR WF2e3x0
$r9C-d)dm |'N3B"Oh0
cZy+BGL7~'d8|0pass.jsp:

程序代码

b.A&Gd7G"])j*S0<%@ page contentType="text/html;charset=GB2312" %>
5Z qn t5`I_ }0<html>
1s[\@ Y!j
SN{j0  <head>
n.e(]-bO*R0    <title>登录成功</title>
qg&Q5OBKh J1?0  </head>51Testing软件测试网'x*KCVD WV
  51Testing软件测试网4KmS#|Ujof5?6wu
  <body>51Testing软件测试网%Z(e5xp;[I
    <center>51Testing软件测试网[8?r$~)M h
    <%51Testing软件测试网.mo.QqN
        //获取session属性值51Testing软件测试网dr~0E/GhC
        String Mem_Session=(String)session.getAttribute("username");
OX}@O7W0        if(Mem_Session!=null)51Testing软件测试网BZ}LO^9NYLwg
        {
tB,NQ"Q;Uw]0            //session的username属性里含有用户名，可以浏览此页面51Testing软件测试网,g,Lm)U$pb-T QO)m,n&C
    %>51Testing软件测试网e:VSy:qc1w
            <h1>登录成功!!</h1>
q:Qh;jo C0            <hr>51Testing软件测试网'o4]!?9D'?/V
            <h3>欢迎<font size="12" color="red">
!t+|Y8?3V!Q?9\K0            <%--forward跳转为服务器端跳转，跳转后仍在check.jsp页面，可以继续使用usename参数 --%>
K"g:t0|3xO0d)nw0            <%=request.getParameter("username") %>
yOb"te1}(L+f2E2T0            </font>光临！</h3>51Testing软件测试网 zS}:`X&Db]
            <p>51Testing软件测试网B/@a1J ]
            <a href="logout.jsp">注销登录</a>51Testing软件测试网:`f+ohIu(v
    <%51Testing软件测试网fzl4z3]6x3aw7uCt'Z
        }51Testing软件测试网9`n|kh4[ d4O
        else51Testing软件测试网)y2lr&L+s
        {51Testing软件测试网7?4vw/s8x8K7P X
            //session的username属性里没有正确的用户名，无法浏览此页面，跳转到登录页面

f qZ$Y.V+ve"a0    %>51Testing软件测试网rC%xdM!zeet~
            <h1>您还没有登录！</h1>
*g}{0s;@ r0            3秒之后跳转到登录页面51Testing软件测试网bSA1LdX[
            <p>
sKXiWt#x2O$W5L0            如果没有跳转，请点<a href="login.jsp">这里</a>51Testing软件测试网v%TF2rZ_!gc*Y.] mk
    <%
FBBy-[?jv0            response.setHeader("refresh","3;URL=login.jsp");
MsE;kJ~0        }
l2^ x_3RE0    %>
e7AC0R+k/T`G#t0    </center>
!k0~7D1y5~,x f e0  </body>
!H3VhYi;~I8a0</html>
d/\d:FJ8x0C m0

9t D"F[uH@ r0
X`Kl4b0
o b2_2Ns^oBLZ0failure.jsp:51Testing软件测试网9`!_,z~sY
}

程序代码

51Testing软件测试网A#Q'` tZj0Y
<%@ page contentType="text/html;charset=GB2312" %>
9F+w+I4xH5t/c*D0<html>
B(\y2P+Suy;o0  <head>51Testing软件测试网8~x/x1D\
    <title>登录失败</title>51Testing软件测试网 w.\5Z mtUe3I
  </head>51Testing软件测试网w&l"So,Z P
  
6mWARf0  <body>
-@kS2p6l
Td+D
R
o:ke0    <div align="center">51Testing软件测试网9iG\jG1h5{E~
    <h1>登录失败!!</h1>
;av,J9Z'O"oNH0    <hr>51Testing软件测试网H)N jn.J4g$Y y/T Q
    <a href="login.jsp">重新登录</a>
.M]s8j9M0    </div>51Testing软件测试网8L)Bi&z'@:V
  </body>51Testing软件测试网$E*U&qSB+^*StIQ
</html>51Testing软件测试网,Tl2N5^f8\;g

51Testing软件测试网%@5Hvk+ogx:N8I#[

YEW,d f0logout.jsp:

程序代码

51Testing软件测试网/i\)C&wjU%D n
<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网9Y6A.y-^(SFH
<html>51Testing软件测试网.X0@y-?i
  <head>51Testing软件测试网or%a&DICb
    <title>注销登录</title>51Testing软件测试网hp{9DQ A7T
  </head>51Testing软件测试网X p7G#X8k(qa E
  
%I ^7ax.v }7^ C0  <body>51Testing软件测试网[3?#L7S6Vsk&`1HF
    <%
w%?/Vo$wq6D'S0        //使session失效51Testing软件测试网l'Jy\}%L:a
        session.invalidate();
6N&W,AT}.Ox0    %>51Testing软件测试网5uBPx@+Tvo GZ
    <center>
'X/Z7m'Dn0        <h1>注销成功！</h1>
;Z#g2Ne8tHQ0        3秒后跳转到登录页面
U:x`2^?!M5h$T0        <p>
~ i Qw+Zs}:C;l0        如果没有跳转，请点<a href="login.jsp">这里</a>51Testing软件测试网.bB-~4[0Al6y5r
    <%51Testing软件测试网%R DF0eJ&X
        response.setHeader("refresh","3;URL=login.jsp");
3jrQ#b!t.e`0    %>51Testing软件测试网[;h pSR
A
    </center>51Testing软件测试网L,S2e a
_6w
  </body>
XjxS;TI#P;x$G0</html>