JSP基本登录模块(防SQL注入攻击)

 在JSP基本登录模块Ⅳ中，如果在密码栏输入“' or '1'='1”，我们发现不知道密码也可以登录成功。
}n2n5g)r+V0这是因为当我们的密码为“' or '1'='1”时，SQL语句变为：51Testing软件测试网K`(Vr,TB)aI
Select * FROM member Where username='magci' and password='' or '1'='1'
-Dt_"m6T0'1'='1'是永真的，这条SQL语句是能通过验证的。
;Nc1q?"m uP0Pu0这就是SQL注入攻击。
Y*\XkfU9~)o051Testing软件测试网;iPC,Fz$~
为了防止SQL注入攻击，可以使用PraparedStatement对象操作数据库。51Testing软件测试网O3[&{3Zwz:Q!v;b
改进后的登录模块如下：
Nq.Mdq _?Eec&l051Testing软件测试网nC L`}4r^^Q(A
附加功能：防止SQL注入攻击
W K(i`-]&e%O051Testing软件测试网*?w#X5j[.?
登录模块至少需要以下几个页面：
j-KQLH&]7V01.检查Cookie页面(index.jsp)；
8};j#c5qj$a:t-SC
qE"x02.输入用户信息页面(login.jsp)；51Testing软件测试网E)Ei y9oQ1[
3.用户合法性验证页面(check.jsp)；
FOx7J;q@04.登录成功欢迎页面(pass.jsp)（检查Session设置）；51Testing软件测试网J y/pU2ku1?Kh
5.登录失败提示页面(failure.jsp)；
7n }8Z
p/l;tk!q06.注销登录页面(logout.jsp)。51Testing软件测试网e,U_)p#^

:k]f!@ ?,M0数据库：member.mdb
|9A1i GmA051Testing软件测试网(n0bN
`(dBS.q
51Testing软件测试网1~/DBo(I?:axe6ks
结构图：
sR k#du0q"K!F7q*t R0
!y$Fz9EMs0---------------------------------------------------------------------
$Pq ?1k@+DPN*f`0
L!Ph,zD7m.V+LM$O }0                 index.jsp
]#w&]Un0                       |51Testing软件测试网Z$u aO7S:ry(]
                       |判断Cookie中有无用户名、密码51Testing软件测试网"c*\P(xQ qgEZ/lu
          ----------------------
!c_A'O(]~)s H0          |   Y                 N  |51Testing软件测试网6Bv0z}9s$E
          |                          V51Testing软件测试网6[FR)D4g
          |                      login.jsp<--------------------
9e6b#b7B%{/pk2~'{/e0          |                          |输入用户名、密码           |51Testing软件测试网 aAx9|%yP
          |                          V                                  |51Testing软件测试网8xs:C_J4kQ,TF
          ---------------->check.jsp                           |
,_i/W?+VlpcS0                                      |查询用户名、密码          |
:r1r Dd~0                                      V                                  |
#{M4xM f:P7Y sP0                               member.mdb                      |
1AOb4R5p:g7jU0                                      |返回结果                      |51Testing软件测试网W-[,M`@a$c
                                      V                                  |51Testing软件测试网TX.I|iyf7wW~
                                 check.jsp                          |
6GM-AaB0                                      |判断用户是否合法          |
Km WF+u6a/^V`0                          ---------------------                     |51Testing软件测试网xsm{$I
} X t'rW
                          |  Y                N  |                     |
5jyO%Y N'PC~0                          V                       V                    |51Testing软件测试网Xba^*~2i B)w
                      pass.jsp           failure.jsp------->|
1d/NPH` y!N0                          |                                              |51Testing软件测试网 rxG b}h k+sG
b%G
                          | 检查session是否含有用户名      |51Testing软件测试网mVP u9}\JR
                -----------------                                    |
,h0]/\ q7BL3V0                | Y             N |                                    |
w3vg u%rT:]T0                V                  V                                   |
C~!j'\t!l%D0           pass.jsp          跳转------------------------->|51Testing软件测试网
dQ^*M5Q%o
                |                                                        |
d%r,bO P#Nu0                |注销                                                  |51Testing软件测试网-p5r*vDSF
                V                                                       |
/Iw|$os&S4s^0          logout.jsp------------------------------------>|
f_X/@!CL@w)Q N%c051Testing软件测试网8u8q/d!hP"aF
---------------------------------------------------------------------51Testing软件测试网
^$@k.O*x6]$I{h C&G
51Testing软件测试网
B.XwX4TP~(L
index.jsp:51Testing软件测试网n+j x7bZ3r#w"g
h X

程序代码

51Testing软件测试网;n a.{#F4G&e7a
<%@ page contentType="text/html;charset=GB2312" %>
7jk3Azp?D0<html>51Testing软件测试网;YNA$lw.R$\y
  <head>
C+cN(S:g/\+X[#L0    <title>index</title>
6@9Is:Ls4fSg6nQ0  </head>51Testing软件测试网
R{*T'W6S#Xa5IG,I'H
  
P"x],a2[F0  <body>
:GU T7et3P0    <%
$@|'MufX0        int i;
0\a?6y#TK-Nm(oi0        //初始化,用于保存Cookie中的用户名、密码
)].Y)m
n*RRD0        String C_username="";
[OW eif(?lr"v&f%~0        String C_password="";51Testing软件测试网&S-QN*b(C0\
        //获取全部Cookie
&E;I"TgD j|]0        Cookie c[]=request.getCookies();
Gft%f ?+q!a)y@a0        for(i=0;i<c.length;i++)51Testing软件测试网#{ R.m$@CF(yQ0b v
        {51Testing软件测试网0b;K%c0dU
b
            //在Cookie中查找用户名、密码，如果找到，则分别将其赋值给用户名、密码变量51Testing软件测试网3M`X7B!s C^}
            if("username".equals(c[i].getName()))51Testing软件测试网G'fK,zcIu\U
                C_username=c[i].getValue();
X a*szD9e)W,K0            if("password".equals(c[i].getName()))51Testing软件测试网N;iU1k4BcL
                C_password=c[i].getValue();51Testing软件测试网#SM:cu+eG-o@
        }51Testing软件测试网/Eet7`2G7Ooi\
        if(!"".equals(C_username) && !"".equals(C_password))
i~q#s$oz x0        {
H)Rbf;{9c i*X0            //Cookie中有用户名、密码,将用户名、密码提交到验证页面
pf1{Ze]k&g
p0            response.sendRedirect("check.jsp?username="+C_username+"&password="+C_password);51Testing软件测试网{2g8Jp#{G+f8ti.RP
        }
e'yS.U)[0q"H.dx{0        else
qG%| t-O!eT%|~%{0        {
"P0k0p([*l)VX.X6P0        //Cookie中没有用户名、密码，跳转到登录页面51Testing软件测试网LO tz{c
    %>

L6~s uJmi
^0F"a0        <jsp:forward page="login.jsp" />
?;o+eAx?J0    <%
%zPlD;B_0        }51Testing软件测试网M2uql:dV
    %>51Testing软件测试网-k:El$FM
  </body>51Testing软件测试网#JlfiU?1R
</html>
v0\(S&h8W?*cJ0

51Testing软件测试网9H(P/GijOE

EI-E+[s[t6m0login.jsp:

程序代码

51Testing软件测试网1D_Jnh'tV
<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网;\o{w8}"x9M
<html>51Testing软件测试网w&G(W'eM'A[
  <head>
ci.pL&a&t Xlck9BF0    <title>登录</title>
r$C_-E Sl"?0  </head>
wkox^g/zS6|N0  
I!vP,@.F d)?0  <body>51Testing软件测试网/Kb(J yuUx
      <center>51Testing软件测试网4n&x)]RD'F u
      <h1>登录页面</h1>
X c"`8U'`0f0      <hr>
)Y9b
\M n0    <form action="check.jsp" method="post">51Testing软件测试网yu'h1~0F/K
        <table>51Testing软件测试网.W*euYN(F6e&h
            <tr>
|(psGvI!H0                <td>用户名：</td>
Gd-MP2WLa0                <td><input type="text" name="username" /></td>51Testing软件测试网XN)sR2]R y
            </tr>
CL_dOa _er1?0            <tr>51Testing软件测试网#Xh$ZB0Wt
                <td>密  码：</td>51Testing软件测试网t0A@4bN&h,X
                <td><input type="password" name="password" /></td>
[m fw!X0            </tr>51Testing软件测试网2L:NYW9Y0k@
            <tr>51Testing软件测试网#g6BYi.L3H/_;Y|nn
            <td>Cookie选项：</td>
)OiWf Z_!~v0            <td>
A3G J1A3@?0f Co0                <input type="radio" name="cookie" value="nosave" checked>不保存
*Y e+?+jf&Za0                <input type="radio" name="cookie" value="save">保存1分钟
&ZV8g1G4h3fp0            </td>51Testing软件测试网S-| A O Q#r
            </tr>51Testing软件测试网g1Ps1?4f5hAlI
            <tr>
sP0{3FL0                <td colspan="2" align="center">
1T HmJ#cC(G0                    <input type="submit" value="登录" /> 
!p cH}IA
be0                    <input type="reset" value="重置" />
a)`xZ6Jt&rQ0                </td>
6I-G
rd8Yzr0            </tr>
9mD/];R+pC]P0D0        </table>
/{#r eQ'O0    </form>
$o'KGRVW(E:@:AM.W/A0    </center>51Testing软件测试网(a.jI$W6G0L
  </body>51Testing软件测试网z7@.PJ.K
</html>51Testing软件测试网*?A
l i'['u2l~

51Testing软件测试网wxN+j&L6T5K
51Testing软件测试网n$@pw#s^+R
check.jsp:51Testing软件测试网V$c4U5t!G(Y!A,p

程序代码

51Testing软件测试网LD4pDxPrl
<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网R+pm{X!IB
<%@ page import="java.sql.*" %>
&{;v,}K@ys0<html>51Testing软件测试网&Y-@n#Z&F W s R(\
  <head>
-J)cZ.A6VA5JL0    <title>验证页面</title>
K%u"K
P? ~V0  </head>
#U2^3]0v
s2w0  51Testing软件测试网0I:g8d:n o*yI
  <body>
K;W6i*a.ylv+tL`.[)HC0    <%51Testing软件测试网xZ;Zc*R#@2c:Y
        String Username=request.getParameter("username");51Testing软件测试网HJ8B$QK$Uq$Y
        String Password=request.getParameter("password");
)_b\ R|J?o0        String IsCookie=request.getParameter("cookie");51Testing软件测试网g*e`@7q^?
        //定义标志，标记是否为合法用户，true为合法，false为非法
-j~,n!SUW0        Boolean isUser=false;51Testing软件测试网!kL:cIo,RHr
        //定义数据库连接驱动51Testing软件测试网5w{QG3k&RYdj$B
        final String DBDRIVER="sun.jdbc.odbc.JdbcOdbcDriver";51Testing软件测试网D's%V%e @-D4a,x3T
        //定义数据库连接地址51Testing软件测试网 R X/D:Q0t k.v
^m8}9j
        final String DBURL="jdbc:odbc:member";
Q(Q;o6p5m0O'l5o0        //定义变量存放SQL语句51Testing软件测试网[h)SzL&d o:Q"m2lP
        String sql=null;
C$KS Hv;f0        //定义数据库连接对象51Testing软件测试网1cwa/NlX0aQ
        Connection conn=null;51Testing软件测试网o(gvhjc4an
        //定义数据库操作对象51Testing软件测试网M
GM/z)_"uv/F @
        PreparedStatement pstmt=null;
)PCP1`(R;B-OA T@KT0        //定义结果集51Testing软件测试网5K/ZxR k#w)lO@i}L
        ResultSet rs=null;51Testing软件测试网[qn+\7p az
        try{
tcu Um0            //加载数据库驱动
usrA(\0g0            Class.forName(DBDRIVER);51Testing软件测试网I E`BFl1O?
            //连接数据库51Testing软件测试网}+KdAr%[6H*o
            conn=DriverManager.getConnection(DBURL);
8Qzn?
h btB0            //预预处SQL语句51Testing软件测试网*d_B9`|
            sql="Select * FROM member Where username=? and password=?";
1\9B
p4[/r iy{0            //实例化数据库操作对象51Testing软件测试网&z6h O2K;Ca`5@\
            pstmt=conn.prepareStatement(sql);51Testing软件测试网'] vBBf*A4|
            //设置psmt中“?”对应的变量
e ^!r?Q;a,~0            pstmt.setString(1,Username);
A(G(b1^#M|Qo7w'O
{0            pstmt.setString(2,Password);
.q*ni}8t+}f\5o0            //查询数据库，返回结果集51Testing软件测试网`5\CDjrX
            rs=pstmt.executeQuery();
[\*i P,v2m#T0            if(rs.next())51Testing软件测试网 rZ@5e'FR
            {51Testing软件测试网8p7}J:iwEj
                //数据库中有符合的记录，合法用户51Testing软件测试网U7e A+X$h
                isUser=true;
|+P0ekk/J0            }
`0C6k@k0J-Np9~ a M0            //关闭结果集51Testing软件测试网,X&ta
y un+Py5W
            rs.close();51Testing软件测试网l@QMd!}&htrk
            //关闭操作
$w2PA
q7[Shn0x0            pstmt.close();51Testing软件测试网6C;T fs@?
            //关闭连接51Testing软件测试网vA*US|3\i
            conn.close();
w!c2E(t]S*e0        }51Testing软件测试网'es/R'oZ/~3B$nUXr x9I|
        catch(Exception e)
L1o1C0u2@o4[0        {51Testing软件测试网/zS)}/j,B,k:` DVhN
            System.out.println(e);
#S0@2k:|3T~F4Dj4|0        } 
5G+V K$e `*n$q({0        //判断用户名、密码的合法性51Testing软件测试网(cjPeJmKiJM
        if(isUser)51Testing软件测试网0T3RD8A.|:tG,O#G
        {51Testing软件测试网(}7ia!~A
i.g3`ER?
            //合法用户51Testing软件测试网^MA)_%r ~Z
            if("save".equals(IsCookie))
k!|?+O*th"x'f3~0            {
k}ppbN.P0                //如果选择了保存Cookie选项，则保存Cookie
M
w4wz r?9C0                Cookie c1=new Cookie("username",Username);51Testing软件测试网c^ ~6Lc$yK K$?
                Cookie c2=new Cookie("password",Password);
a%pX
nh0                //设置Cookie保存时间为1分钟
xczRKps+l-m0                c1.setMaxAge(60);
:ZJy*\jf/uH$D
t0                c2.setMaxAge(60);
"GRg/[Rt0                response.addCookie(c1);
trnR _"l-]0                response.addCookie(c2);
D&|d"oW*cU
h0            }51Testing软件测试网.BX2KE0^ }W v-r
            //设置session属性51Testing软件测试网"d8kQ#Re J8d*]-}E;m
            session.setAttribute("username",Username);51Testing软件测试网^&I0aF.i8RY
            //跳转到欢迎页面51Testing软件测试网-BA+DoFP/X'?+T`?L
            %>51Testing软件测试网;fV:ES0ri s
            <jsp:forward page="pass.jsp"/>
p5{#~ Gha0            <%
)\mP)zB3[ar~0        }
6F}wK0r0oD#e9T0        else
xir6gl0b+[WL0        {
0c5X,k v }%Vo/~%A0            //非法用户，跳转到登录失败页面51Testing软件测试网O8p }[Sd#n [D/l"}7u
            %>
AE0_ fW'm)TJ^0            <jsp:forward page="failure.jsp" />
zg'` pO+` n0            <%51Testing软件测试网2|B-Bp$[%I
        }
k{3j$J6mN%kq!Ao'B0    %>51Testing软件测试网cPs*Q`f3N
  </body>
CDf1C4g4d)c }I@0</html>
9i}
e]@0bd#f5w0

Oe@%vJ0I o"h*]051Testing软件测试网},@d#?u
51Testing软件测试网 P FGf"{2I
pass.jsp:51Testing软件测试网 Hp^/]O/l1b0B

程序代码

51Testing软件测试网eVW9p5g
<%@ page contentType="text/html;charset=GB2312" %>
1^a:jE1Ud&i0<html>
Gbq)F0mK2W"f0  <head>
z7jm'um^vp%v0    <title>登录成功</title>
j(sJ.}'H)B `0  </head>51Testing软件测试网C.d6VK?0y
  51Testing软件测试网$IKN{ m
  <body>
5z_p| N0    <center>
"^$n"KWw.u?`0    <%51Testing软件测试网c0N+j|)q
        //获取session属性值
)|'nBW
R0Y!Nb_:_5YH0        String Mem_Session=(String)session.getAttribute("username");
U
?x I-i4Vz0        if(Mem_Session!=null)
P(G:gs~[0        {51Testing软件测试网mB-E A'x-az!{
            //session的username属性里含有用户名，可以浏览此页面
~og7u(d xY/]0    %>
n$kb+u/TWj ]1z/Von0V0            <h1>登录成功!!</h1>51Testing软件测试网z$dB+b/{5p*AU8TK
            <hr>51Testing软件测试网m,P\;o0u+ty(H3P)\+i
            <h3>欢迎<font size="12" color="red">
P#F|VgAI!HD(B0            <%--forward跳转为服务器端跳转，跳转后仍在check.jsp页面，可以继续使用usename参数 --%>
p8C8o(m:Lb#\0            <%=request.getParameter("username") %>51Testing软件测试网4Kj%t)Hx&ni
            </font>光临！</h3>51Testing软件测试网!`qj7_ E
            <p>
RCb6G3t)V0            <a href="logout.jsp">注销登录</a>51Testing软件测试网)Vp})a-nI)P!V
    <%
-C s'Jg5B;Tr#T7_j$U0        }
G`u(` qxHp0        else51Testing软件测试网z+R$_?q`et
        {
!NF!?8m[${ ES6VS0            //session的username属性里没有正确的用户名，无法浏览此页面，跳转到登录页面
`*D!dr-X0    %>
D2u6V9nn]!ht0            <h1>您还没有登录！</h1>51Testing软件测试网#H*[ M3S x
            3秒之后跳转到登录页面51Testing软件测试网&[T5p\Fv.a"cd
            <p>51Testing软件测试网"q ^_jo\5?5h#I0X:[
            如果没有跳转，请点<a href="login.jsp">这里</a>51Testing软件测试网y,JRG,_:L8hLw+~h,A
    <%
l}O'KR0            response.setHeader("refresh","3;URL=login.jsp");51Testing软件测试网^7nd3Bn:D
`&j`(\
        }
)P(lUE`D,jfMX'p0    %>51Testing软件测试网'yC4][
N.[
    </center>51Testing软件测试网T`%MN(T\ V:S
  </body>
!l4f9u-tWBHR0</html>
#w-}`rdqmG0

{M Is4OE/Cp(r;j051Testing软件测试网 W!`sz0o1_-E#c
failure.jsp:

程序代码

8X Z~!USI~2\0<%@ page contentType="text/html;charset=GB2312" %>
;{
|0S Sh&F C|0A0<html>
%d(a lQy0  <head>51Testing软件测试网0QmG!s^]H
    <title>登录失败</title>
5n+\far0  </head>51Testing软件测试网tF]
NCT"{
  
Q&^s/F;TGt0  <body>51Testing软件测试网k)A*Gg'~
    <div align="center">51Testing软件测试网snb#`,Td2~j
    <h1>登录失败!!</h1>51Testing软件测试网V.hH@:f+t&|
    <hr>51Testing软件测试网%o#qd+t!|
b2r
    <a href="login.jsp">重新登录</a>51Testing软件测试网.m|V5n
^tTb
}0M7I
    </div>51Testing软件测试网$FKF^V*TZWk*k;L
  </body>
#x'X.O]-Nx e7Iu0</html>51Testing软件测试网@sf%Y6Uu

yz`u F)w;oK_051Testing软件测试网k]xFmi(Ne

r5eP\T/GD0logout.jsp:

程序代码

waTB'SsVr0<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网vYxp7c7`K
<html>
|1Y7]Q r_|RS0  <head>51Testing软件测试网:v)^Lm6Qp&BT
k*h:z
    <title>注销登录</title>51Testing软件测试网5~O[vjM~EO
  </head>
\Y%Ci8@@Z.mz DU
Q0  51Testing软件测试网3G C2]*K;v'IY
  <body>51Testing软件测试网)v]/h g$Y~+F#]
mD U
    <%51Testing软件测试网Pr&I`8{]
        //使session失效
.eNm
b
M4`NHwk0        session.invalidate();
|AcFE0}0    %>51Testing软件测试网/]f&[7k'qS
    <center>51Testing软件测试网}2H6N\ T gx c
        <h1>注销成功！</h1>51Testing软件测试网 E:y'Q:ToS ty
        3秒后跳转到登录页面
`.{$Dj W.P#mE0        <p>
EHoJe g6d0        如果没有跳转，请点<a href="login.jsp">这里</a>
]`f[[&l{0    <%51Testing软件测试网E*Xv6@a|
        response.setHeader("refresh","3;URL=login.jsp");51Testing软件测试网gS$Nw0W
    %>51Testing软件测试网]W![:se2\&P
    </center>51Testing软件测试网iS:[ [Qfq
  </body>51Testing软件测试网wj"nN"`ty
</html>51Testing软件测试网/e `
HW.OWdZVj&B