JSP基本登录模块(防SQL注入攻击)

上一篇 / 下一篇  2009-09-03 15:58:24 / 个人分类:JAVA

51Testing软件测试网_R5r:@La[

 在JSP基本登录模块Ⅳ中,如果在密码栏输入“' or '1'='1”,我们发现不知道密码也可以登录成功。51Testing软件测试网M5Gr Y]~0gBT
这是因为当我们的密码为“' or '1'='1”时,SQL语句变为:
G$^]lgY0Select * FROM member Where username='magci' and password='' or '1'='1'51Testing软件测试网e8`-L4q"}8C,@;^)VE5I!}
'1'='1'是永真的,这条SQL语句是能通过验证的。51Testing软件测试网%Qxm|6Dh)UP
这就是SQL注入攻击。51Testing软件测试网U(IQ1GxU
51Testing软件测试网&J:P1m!a[4DB)Mn#^
为了防止SQL注入攻击,可以使用PraparedStatement对象操作数据库51Testing软件测试网6zQ/fW:B&JN {
改进后的登录模块如下:
\1yLw\E0|051Testing软件测试网/Vm%G,D X;ug^9~Y
附加功能:防止SQL注入攻击51Testing软件测试网f0IL$A@)c0r;N*h
51Testing软件测试网(h|-z1l?P3am{
登录模块至少需要以下几个页面:51Testing软件测试网|1\o,l6Fqj,j*F
1.检查Cookie页面(index.jsp);51Testing软件测试网)Joz3]n| S
2.输入用户信息页面(login.jsp);51Testing软件测试网L(t&kZW*jmlF#F
3.用户合法性验证页面(check.jsp);51Testing软件测试网-Tu3tCTQ
4.登录成功欢迎页面(pass.jsp)(检查Session设置);51Testing软件测试网,Gw f%E-F;]
5.登录失败提示页面(failure.jsp);51Testing软件测试网)V`0g vP"nE s__Z$x
6.注销登录页面(logout.jsp)。51Testing软件测试网o7`/n R{

Vg9X#fA`4x0数据库:member.mdb
^MK6]G"t I{0
AR9|y_x&|Q@q051Testing软件测试网,I9TZO/g
结构图:51Testing软件测试网#p NF6RB8N%j

8mz jDS#n^0---------------------------------------------------------------------
U1GY[k c7_,v0
-p/S}9t:S+B*S,p mC~0                 index.jsp
}!L ?})Ao9}0                       |
L~,B]1A`#x?*q0                       |判断Cookie中有无用户名、密码
0K:Cop&kPN0          ----------------------
7A-K5t)T] W0          |   Y                 N  |
c3PeK f(C0          |                          V51Testing软件测试网 @*F$l*Ed rJ\
          |                      login.jsp<--------------------51Testing软件测试网 wZ|1W`xhH f
          |                          |输入用户名、密码           |
!d"p X-_j0          |                          V                                  |
]P8{],jD^"}yo0          ---------------->check.jsp                           |
wM/iIa3[\+\0                                      |查询用户名、密码          |
M ],a-U,I*Z[0                                      V                                  |
VPI,p#Y/DG0                               member.mdb                      |
!K y!z2va%Sp"y9R3g5ES0                                      |返回结果                      |
TR?#a Hr4B)[ h)etl0                                      V                                  |
4{.~'F Vl0                                 check.jsp                          |51Testing软件测试网)n/N5Uv(t*~i2^
                                      |判断用户是否合法          |
:{J lE.M YyL0                          ---------------------                     |51Testing软件测试网 Wg4G9z/kC(tZ Qq
                          |  Y                N  |                     |51Testing软件测试网4_ t|,s*TDU*\7}
                          V                       V                    |
.DQ(k%Ki&?%\0                      pass.jsp           failure.jsp------->|51Testing软件测试网#W){AC o#yu;p2|:Vt
                          |                                              |51Testing软件测试网1C$i9d1ux*L2~B
                          | 检查session是否含有用户名      |51Testing软件测试网!I(gRD"T/]
                -----------------                                    |
*@3`.R'`p%D_S%O0                | Y             N |                                    |51Testing软件测试网-lS6m-|g K6V|'T
                V                  V                                   |51Testing软件测试网 N"K!?6t4~5x
           pass.jsp          跳转------------------------->|51Testing软件测试网&z9~'xvoy6k
                |                                                        |51Testing软件测试网/KFG&NW%[$r N6P
                |注销                                                  |
ZX,^.fs o*~0                V                                                       |
9ws2lk)z"l Jr&y0          logout.jsp------------------------------------>|
.?*zr1j*I1?7Kp$zrM0
X_FI9v0---------------------------------------------------------------------
'@,U-H?s!u1k?'d0
U5w]9c2C-kE_`]0^0index.jsp:51Testing软件测试网p%YsvG6j6u N

程序代码程序代码
51Testing软件测试网BVC Wj3B$B#Z
<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网la [D8UMf(P;u
<html>51Testing软件测试网l0^9Y'af/m v$C)[
  <head>
pe\+I1tk9Mv1b0    <title>index</title>51Testing软件测试网%A;}dm{9ci
  </head>
)iC3bV9Vgf8e0  51Testing软件测试网s lG RRl!y o0_
  <body>51Testing软件测试网7LW y?Vs)I
    <%51Testing软件测试网J [SY U']q5V
        int i;
kV8x:IDQ F&eD3Y8D0        //初始化,用于保存Cookie中的用户名、密码
9_7j]Mp1l7Y0        String C_username="";
5K-np)?`)N^0        String C_password="";
-ab } EpW`v0        //获取全部Cookie
8JW? h$RPj0        Cookie c[]=request.getCookies();
1lYtC/Q P!Y*i0        for(i=0;i<c.length;i++)51Testing软件测试网Wj b)y9GV
        {51Testing软件测试网AMm `g
            //在Cookie中查找用户名、密码,如果找到,则分别将其赋值给用户名、密码变量51Testing软件测试网4\9c,d$]D d
            if("username".equals(c[i].getName()))
cE*V i:G0                C_username=c[i].getValue();
dvnGF0            if("password".equals(c[i].getName()))
%g qu&O:iI4o5P[0                C_password=c[i].getValue();51Testing软件测试网|X4Ab`!g
        }
qIZZ*x#o0        if(!"".equals(C_username) && !"".equals(C_password))
yH;Nfp/\7[ gq0        {51Testing软件测试网fw,\@ M$i'Gm
            //Cookie中有用户名、密码,将用户名、密码提交到验证页面51Testing软件测试网{1Ptq,_(iPi#`9S7| ? B
            response.sendRedirect("check.jsp?username="+C_username+"&password="+C_password);
x4P]r(C|z3T0        }
"SJ1oId6W3s*O8]0        else
Tr W8cR|]e5Q$s xU0        {
:w|r$E|&ED4kq/T0        //Cookie中没有用户名、密码,跳转到登录页面51Testing软件测试网/`7d2t#U%Hd/X
    %>
s fZ!u)I4I4nE0        <jsp:forward page="login.jsp" />51Testing软件测试网Y?M#W9y z7E-l QX
    <%51Testing软件测试网 ~*mb/C lY,h+P {A~
        }51Testing软件测试网d0k(i;m:sX
    %>
"G8d:rS#f)iM0  </body>51Testing软件测试网|3cUS!BJ
</html>
JvLu R0k5c&R0

/UhA2U-a}1M0
+j8B"]{2n`2_'m0
p6Xhu6q0login.jsp:51Testing软件测试网gS xM4ic4Q:|JH

程序代码程序代码
51Testing软件测试网8A'ZbZqaw/k&D
<%@ page contentType="text/html;charset=GB2312" %>
`'c2N$yfYy a0<html>51Testing软件测试网C%}q3}1@
  <head>
d4n!v'j~0    <title>登录</title>51Testing软件测试网 ^HHpx
  </head>51Testing软件测试网$J*D_[#pv1H%R]EA
  
~r7[#c@ s3ld0  <body>
$i2Q2J)fs2g A0|0      <center>
9}Pzd"] Z5k/k0      <h1>登录页面</h1>
!s'Au:o K b O0      <hr>51Testing软件测试网"fw&?3u4o&?
    <form action="check.jsp" method="post">51Testing软件测试网$wW+K E|?5K#b
        <table>51Testing软件测试网9e;M`,mD2l5Y2D
            <tr>51Testing软件测试网8foX5j(C2\;e{O5E3N
                <td>用户名:</td>
tL!d^2UF/F nm0                <td><input type="text" name="username" /></td>51Testing软件测试网3d4N!f t~S*]?i-\
            </tr>
`9}#\:Cx#k6OB7z0            <tr>51Testing软件测试网8O{3_:p1_~0a
                <td>密  码:</td>
%JxJ3H7k cQ/I0                <td><input type="password" name="password" /></td>
+ZTY"y cs0            </tr>51Testing软件测试网:J\ ?6\2bYG
            <tr>51Testing软件测试网N fL_ G*Z5H#e
            <td>Cookie选项:</td>
CO*X*Q8n5@ q%o0            <td>51Testing软件测试网d]]:~ t:p5x[$@
                <input type="radio" name="cookie" value="nosave" checked>不保存
1G Cthc:vK([_+zE0                <input type="radio" name="cookie" value="save">保存1分钟51Testing软件测试网8le:I_:h-?J1G@U;e
            </td>51Testing软件测试网M!K'|%T|@
            </tr>
]-e-n:^m$UYb@0            <tr>
1W:~"B3wb-U7y1~.@d0                <td colspan="2" align="center">51Testing软件测试网J8F$d'g*]7M,su"P
                    <input type="submit" value="登录" /> 
W4|5@.r"T`;z"Ee0                    <input type="reset" value="重置" />51Testing软件测试网 p;T)sX&t/W{
                </td>51Testing软件测试网(|3_"Dy!B`7G-kU-Y
            </tr>
1^o'?/l-p0\8~0        </table>
qz1SQvy'Ca$C0    </form>51Testing软件测试网o%L bqg}A-?S^@
    </center>
aGR\#[|,}jw0  </body>
niv.^&{9t5{%X0</html>
^;d3Q7^s7[2E(`8g0
51Testing软件测试网OB.F Z2Q#~"Z5g3{R

51Testing软件测试网)g4FBDB#r W7_8B8q

Z6o`V0|4{1HF WG0check.jsp:

1Z M:|I:aX g3KO R0
程序代码程序代码

M9Ot Y"T0<%@ page contentType="text/html;charset=GB2312" %>51Testing软件测试网@)tw6S?:wox_
<%@ page import="java.sql.*" %>
8?(D8dt*p7|"L~ [0<html>
eBf/kK#u Z~0  <head>
x*R"t3bW5{0    <title>验证页面</title>
jn!VNKiU0  </head>
XFHqV;WZK!w0  51Testing软件测试网{,HbeC Br+xS
  <body>51Testing软件测试网6v/ao$}E%A0zjp`/q7U?
    <%
%wR iRX[2w0        String Username=request.getParameter("username");51Testing软件测试网l?/K2\1O NRv
        String Password=request.getParameter("password");51Testing软件测试网c!F L!qU
        String IsCookie=request.getParameter("cookie");
[f3g3_!o0        //定义标志,标记是否为合法用户,true为合法,false为非法
;qA"A!}U(B0        Boolean isUser=false;51Testing软件测试网f7L2w ]O
        //定义数据库连接驱动
-u4rf2@,An|0        final String DBDRIVER="sun.jdbc.odbc.JdbcOdbcDriver";51Testing软件测试网Vnp fm5h6ZG,~%cmR
        //定义数据库连接地址51Testing软件测试网T6n!?r XZe H+]
        final String DBURL="jdbc:odbc:member";
:_n h;|Jq0        //定义变量存放SQL语句51Testing软件测试网`?\-B3gUf
        String sql=null;51Testing软件测试网FFn,A G9E
        //定义数据库连接对象
r-ZG3gt8`vXL0        Connection conn=null;
(wO5v!s.O[O!a;tG0        //定义数据库操作对象
n.me:r l"hCp0        PreparedStatement pstmt=null;51Testing软件测试网D~-y&nZZ7}
        //定义结果集51Testing软件测试网 a-I;?{*duu
        ResultSet rs=null;51Testing软件测试网~ o|-W7H'xj)Y
        try{51Testing软件测试网5xPa asota
            //加载数据库驱动51Testing软件测试网 cpc~u
            Class.forName(DBDRIVER);
\6Xz| xuRw0            //连接数据库51Testing软件测试网-h G(dy)R_ u
            conn=DriverManager.getConnection(DBURL);
J/G M.@H3t,L(i0            //预预处SQL语句
:i*Wqy0L[)f5_ G0            sql="Select * FROM member Where username=? and password=?";51Testing软件测试网c*y1\l^ ? PK
            //实例化数据库操作对象
CE1a'imr9~0            pstmt=conn.prepareStatement(sql);
Sla9A7w`Kp9lT(Oe0            //设置psmt中“?”对应的变量51Testing软件测试网&U FSc/}Qa\,?
            pstmt.setString(1,Username);51Testing软件测试网R7aFrL!K(x%_
            pstmt.setString(2,Password);
8Ir)J&\5B'z&} PE0            //查询数据库,返回结果集51Testing软件测试网4\o%]0nLT9D:s } X
            rs=pstmt.executeQuery();
l1Yq*\!N0            if(rs.next())51Testing软件测试网 @N6J+EE?9m
            {
C#f{(u,@1u0X*V0                //数据库中有符合的记录,合法用户
y|$}8\#Vz0                isUser=true;
$] e2E-F*j.LSNn0            }51Testing软件测试网8er-s4z#qw
            //关闭结果集
!R6\zi_&j k/S0            rs.close();51Testing软件测试网7L8H Yr&a4K:F'E`
            //关闭操作
9Q*C7F[;Rz9w0            pstmt.close();51Testing软件测试网/joC3E/d
            //关闭连接
/uv,D8VM%n)b0            conn.close();51Testing软件测试网$kzB{ J P8mk"Zr
        }
#~Ww8O&_(Nw0        catch(Exception e)51Testing软件测试网-] A t1n!U&WB
        {51Testing软件测试网.w|Fy:s6h-g
            System.out.println(e);51Testing软件测试网sE b-e6} U)C*Njf
        } 
:K[q7W-C7aN0        //判断用户名、密码的合法性
j0\ M5X;IH*A d`0        if(isUser)
$pY6f-cbf!z9C+U0        {51Testing软件测试网7Xb nU0e![2\4q
            //合法用户
n x;L!{"u*IIS0            if("save".equals(IsCookie))51Testing软件测试网O1Z8_p"V6`4E,D
            {
o)H N\ Ze T7n'`0                //如果选择了保存Cookie选项,则保存Cookie
#zz.XiP*S0                Cookie c1=new Cookie("username",Username);
%V;W%r rJ%@0                Cookie c2=new Cookie("password",Password);
@:Z0rAuC0                //设置Cookie保存时间为1分钟51Testing软件测试网#U P9u-}.U!H
                c1.setMaxAge(60);
;B5`N,tK+c0                c2.setMaxAge(60);51Testing软件测试网'ItD_7X ?'?n%?
                response.addCookie(c1);51Testing软件测试网^6LH)\%_b
                response.addCookie(c2);
1R)K,g'F3yI2y#H0            }
wX/B m:e|DP\-O.c0            //设置session属性
jC ePg#l0            session.setAttribute("username",Username);51Testing软件测试网y"t4L&K%oe!M(t
            //跳转到欢迎页面
w1Y#WXw.R0I)Y h(H0            %>51Testing软件测试网c+D!lg{ CPw
            <jsp:forward page="pass.jsp"/>51Testing软件测试网+P@?vLL#j
            <%
tt'a!zE(W.p0        }
.rX{.v:Asn0        else
q AP6k;{G!k0        {
G m"w,HD2N%}0            //非法用户,跳转到登录失败页面
JG)UzX)}%X)g-R0            %>51Testing软件测试网}F3L}[!t
            <jsp:forward page="failure.jsp" />
!fC7jL6G7|'g.L$o0            <%
*G2T(\P?:s.R.mj0        }
(B%^/e&f7L%f$X0    %>51Testing软件测试网S`B [w1vL
  </body>
qa8P:~/g?rH0</html>51Testing软件测试网_K6~'S%U,l1m
51Testing软件测试网5P8D:o6D#c j~

51Testing软件测试网"W4~[5C2y[ p yy
51Testing软件测试网Q,OM pc$j
pass.jsp:

o.NO2_s+H @*Fu G0
程序代码程序代码
51Testing软件测试网e%r9S"BxXm \
<%@ page contentType="text/html;charset=GB2312" %>
RBr l)^j|:}0<html>
HV T-n%^n `0  <head>51Testing软件测试网3gt"R2e"[N
    <title>登录成功</title>
v} }Q;u6ko]9Is0  </head>
ZH2A9u m$b'E-w-IK-K0  
0Y uJ:?,M:K"hW+_0  <body>51Testing软件测试网}V8wE${b0M'l$O@j
    <center>51Testing软件测试网*nS l+Dt%gr/A4?_5C
    <%
x d O5TS NC2Z0        //获取session属性值51Testing软件测试网8b%i8_ON o-Q/O
        String Mem_Session=(String)session.getAttribute("username");51Testing软件测试网/@Nka Go
        if(Mem_Session!=null)
@a-b[M0n0        {
m|*}yS^fe0            //session的username属性里含有用户名,可以浏览此页面
4I!l(}\C9u t1@fx]0    %>
RWGErz0            <h1>登录成功!!</h1>
S%Ld#[)R0            <hr>
U:d%J|)P.a$s0            <h3>欢迎<font size="12" color="red">
} OQ?1F a&}3x R0            <%--forward跳转为服务器端跳转,跳转后仍在check.jsp页面,可以继续使用usename参数 --%>51Testing软件测试网 X6}#SN1k$]_
            <%=request.getParameter("username") %>51Testing软件测试网tx6NC`/E7BnK/H
            </font>光临!</h3>
{/H0u_!j ?0            <p>
EX"G&sq7bG*?T0            <a href="logout.jsp">注销登录</a>
)W4\Dg8iAb&P#H0    <%51Testing软件测试网5Yjr(U`E o
        }
p@yA9E5ZR.f$?4k0        else
F0I/}4u*IAqP|W0        {51Testing软件测试网-S%kDoM\:?MR9@T
            //session的username属性里没有正确的用户名,无法浏览此页面,跳转到登录页面
.R(Q8u)pb*j N z0    %>51Testing软件测试网r1o/LnrEOR U
            <h1>您还没有登录!</h1>51Testing软件测试网H-fG)Z z+dm
            3秒之后跳转到登录页面
g DK3Y!Fc~v0            <p>
TWA@z u/xAW0            如果没有跳转,请点<a href="login.jsp">这里</a>51Testing软件测试网:IE wd5`Kaw6cX
    <%51Testing软件测试网@#\9b4Y-@Cy^
            response.setHeader("refresh","3;URL=login.jsp");51Testing软件测试网yVR&Hq/^3fzg1i/e
        }
4l-Ovq]b0    %>51Testing软件测试网9OX"W Q/B,q-G Td t
    </center>
!ruUR!P1z{0  </body>
W7_}VR}GS9B;F0</html>51Testing软件测试网W9X*oL} H,} u

*C t ac @ Ha5_0
.F/W!m$}\CV$o4W0
P?.}A"j1[0failure.jsp:51Testing软件测试网 G'Y3u;g#~6nQD

程序代码程序代码

*vp#W t!B0<%@ page contentType="text/html;charset=GB2312" %>
d|0aW3R'KJd$Lv0<html>
/jXg8o6dr Ru0  <head>51Testing软件测试网/lo5F:|"Ah4w
    <title>登录失败</title>51Testing软件测试网B PSP-gf
  </head>
%hv q$b(rtR#`0  
y8H T*X'J+Uvy0  <body>
0h9Q"qL7GE*X/r#JG1O`0    <div align="center">51Testing软件测试网 dU_3m;DT}
    <h1>登录失败!!</h1>
z_k;s U ?0    <hr>
~9r ICB:td$dx0    <a href="login.jsp">重新登录</a>
HoV:|{A4e0    </div>
M/{ \ L~)^0  </body>
4[ f8lAzK0</html>51Testing软件测试网 qH-Q8R C6J0CV1i [
51Testing软件测试网4S+]-|/O#Tqwd,M8l-i

51Testing软件测试网B/@d9y Z,G7J

*n7V1[X+LZrt^3?*` @0logout.jsp:51Testing软件测试网"j;h%EI4^ v

程序代码程序代码

g+XWaYJ%soIR0
/h+v G(S"q'P a0<%@ page contentType="text/html;charset=GB2312" %>
b(vQ0v [Zj7A0<html>
N!Z?)G2ftV5hb7K+Z x0  <head>
(Q g+N)h_0    <title>注销登录</title>
d\){&P$Dj"`0  </head>
e5BbWS}v0  51Testing软件测试网4A`"[%L)c'n
  <body>
NRK9\.O4h%o2p0    <%51Testing软件测试网 InWI:S Z+Z
        //使session失效51Testing软件测试网;DPP8X NX1A,~ S
        session.invalidate();51Testing软件测试网zy\*u2aB[V
    %>
ZOT"{&L;I"dS_&{0    <center>51Testing软件测试网v.r N`3~
        <h1>注销成功!</h1>51Testing软件测试网R N'\+Wrz
        3秒后跳转到登录页面
0{.Z E]Tjw0Dl7cd0        <p>51Testing软件测试网Jz9bU l0Ged oq{7C,P$C
        如果没有跳转,请点<a href="login.jsp">这里</a>51Testing软件测试网%}i1e_"QF%T
    <%51Testing软件测试网 ?A:P,A X8Q$ve
        response.setHeader("refresh","3;URL=login.jsp");
P5sd@)VG]0j:z0    %>51Testing软件测试网9wI7w` k+^I@b
    </center>51Testing软件测试网F'ydi_.{!L c r"w
  </body>
"I:Y `rM2^6M0Ss0</html>51Testing软件测试网'Zc*G*`&ON7J'Z


TAG: SQL 注入

 

评分:0

我来说两句

日历

« 2022-01-12  
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

数据统计

  • 访问量: 37899
  • 日志数: 47
  • 建立时间: 2009-09-03
  • 更新时间: 2010-06-10

RSS订阅

Open Toolbar