cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "marco scotoni" <mscot...@gruppotrafomec.com>
Subject Re: XSP+logic
Date Thu, 07 Nov 2002 15:58:13 GMT
Thx the problem is that i have to replace a substring from the result of
query...

but  there arent methods or tag to do it...




----- Original Message -----
From: "Ilya A. Kriveshko" <ilya@kaon.com>
To: <cocoon-users@xml.apache.org>
Sent: Thursday, November 07, 2002 4:45 PM
Subject: Re: XSP+logic


> Search the mailing list archives for SQL injection - your page is
> vulnerable.
> Use <esql:parameter><xsp:request:get-parameter
> name="num"/></esql:parameter> in your query.
>
> I don't see a closing '>' on the <xsp:page> tag in the beginning of the
> file. I would have expected it to give you a different error, though.
>
> Your problem is coming from the last <xsp:expr> in the file:
>
> <xsp:expr>
>   String Prova;
> </xsp:expr>
>
>
> You either meant to declare a String variable Prova, for which you
> should do with <xsp:logic> tags, or
> you meant to output "String Prova;", for which you should have used
quotes.
>
> So, it's either:
> <xsp:logic>
>   String Prova;
> </xsp:logic>
>
> or
>
> <xsp:expr>
>   "String Prova;"
> </xsp:expr>
>
> Also, it would be faster if you opened the database connection once, and
> then placed all your queries inside of it:
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <xsp:page language="java" xmlns:xsp="http://apache.org/xsp"
>   xmlns:esql="http://apache.org/cocoon/SQL/v2"
>   xmlns:xsp-request="http://apache.org/xsp/request/2.0">
>
>   <xsp:logic>
>     static String replace(String str, String pattern, String replace) {
>         int s = 0;
>         int e = 0;
>         StringBuffer result = new StringBuffer();
>         while ((e = str.indexOf(pattern, s)) >= 0) {
>             result.append(str.substring(s, e));
>             result.append(replace);
>             s = e+pattern.length();
>         }
>         result.append(str.substring(s));
>         return result.toString();
>     }
>
>   </xsp:logic>
>
>   <page>
>     <esql:connection>
>       <esql:pool>trafomec</esql:pool>
>       <esql:execute-query>
>         <esql:query>
>           select distinct nome_prod, data_prod from tabella_prodotto
> where id_prod=
>
>
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:param
eter>
>         </esql:query>
>         <esql:results>
>           <esql:row-results>
>             <nomeprod><esql:get-string column="nome_prod"/></nomeprod>
>             <dataprod><esql:get-string column="data_prod"/></dataprod>
>           </esql:row-results>
>         </esql:results>
>       </esql:execute-query>
>
>       <!-- Query per la Foto -->
>       <tabellafoto>
>         <esql:execute-query>
>           <esql:query>
>             select distinct id_ufoto,link,desc_foto from tabella_foto
where
>             id_foto=
>
>
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:param
eter>
>           </esql:query>
>           <esql:results>
>             <esql:row-results>
>               <foto>
>                 <linkfoto><esql:get-string column="link"/></linkfoto>
>                 <descfoto><esql:get-string column="desc_foto"/></descfoto>
>               </foto>
>             </esql:row-results>
>           </esql:results>
>         </esql:execute-query>
>       </tabellafoto>
>       <catfun>
>         <esql:execute-query>
>           <esql:query>
>             SELECT DISTINCT tabella_at.nome_at as nome_at,
>                             tabella_cf.nome_cf as nome_cf
>               FROM tabella_at, tabella_cf, tabella_famiglia,
> tabella_prodotto
>               WHERE tabella_famiglia.id_at=tabella_at.id_at AND
>                     tabella_famiglia.id_cf=tabella_cf.id_cf AND
> tabella_famiglia.id_fa=4 AND
>                     tabella_prodotto.id_fa=4
>           </esql:query>
>           <esql:results>
>             <esql:row-results>
>               <bl_cf>
>                 <cat><esql:get-string column="nome_at"/></cat>
>                 <fnc><esql:get-string column="nome_cf"/></fnc>
>               </bl_cf>
>             </esql:row-results>
>           </esql:results>
>         </esql:execute-query>
>       </catfun>
>
>       <esql:execute-query>
>         <esql:query>
>           select distinct specifiche from tabella_prodotto where id_prod=4
>         </esql:query>
>         <esql:results>
>           <esql:row-results>
>             <spec>
>               <xsp:expr>"String Prova;"</xsp:expr>
>             </spec>
>           </esql:row-results>
>         </esql:results>
>       </esql:execute-query>
>     </esql:connection>
>   </page>
> </xsp:page>
>
> marco scotoni wrote:
>
> >Hi, i have an error on this .xsp page but i can't solve....help plz
> >
> >Error:
> >org.apache.cocoon.ProcessingException: Language Exception:
> >org.apache.cocoon.components.language.LanguageException: Error compiling
> >query_prod_xsp:
> >Line 1113, column 18:  ')' expected
> >Line 1114, column 11:  illegal start of expression
> >Line 1113, column 11:  variable String not found in class
> >org.apache.cocoon.www.mount.html_pdf.query_prod_xsp
> >Line 0, column 0:
> >3 errors
> >
> >
> >
> >Page .xsp
> ><?xml version="1.0" encoding="ISO-8859-1"?>
> ><!-- CVS: $Id: esql.xsp,v 1.4 2002/02/09 06:21:57 vgritsenko Exp $ -->
> ><xsp:page language="java"
> >xmlns:xsp="http://apache.org/xsp"
> >xmlns:esql="http://apache.org/cocoon/SQL/v2"
> >xmlns:xsp-request="http://apache.org/xsp/request/2.0"
> >
> >
> ><xsp:logic>
> >static String replace(String str, String pattern, String replace) {
> >int s = 0;
> >int e = 0;
> >StringBuffer result = new StringBuffer();
> >while ((e = str.indexOf(pattern, s)) >= 0) {
> >result.append(str.substring(s, e));
> >result.append(replace);
> >s = e+pattern.length();
> >}
> >result.append(str.substring(s));
> >return result.toString();
> >}
> >
> ></xsp:logic>
> ><page>
> >
> >
> ><esql:connection>
> ><esql:pool>trafomec</esql:pool>
> ><esql:execute-query>
> ><esql:query>select distinct nome_prod, data_prod from tabella_prodotto
where
>
>id_prod=<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></e
sql:parameter>
> ></esql:query>
> ><esql:results>
> ><esql:row-results>
> ><nomeprod><esql:get-string column="nome_prod"/></nomeprod>
> ><dataprod><esql:get-string column="data_prod"/></dataprod>
> ></esql:row-results>
> ></esql:results>
> ></esql:execute-query>
> ></esql:connection>
> >
> ><!-- Query per la Foto -->
> ><tabellafoto>
> ><esql:connection>
> ><esql:pool>trafomec</esql:pool>
> ><esql:execute-query>
> ><esql:query>select distinct id_ufoto,link,desc_foto from tabella_foto
where
> >id_foto=<xsp:expr>request.getParameter("num")</xsp:expr>
> ></esql:query>
> ><esql:results>
> ><esql:row-results>
> ><foto>
> ><linkfoto><esql:get-string column="link"/></linkfoto>
> ><descfoto><esql:get-string column="desc_foto"/></descfoto>
> ></foto>
> ></esql:row-results>
> ></esql:results>
> ></esql:execute-query>
> ></esql:connection>
> ></tabellafoto>
> ><catfun>
> ><esql:connection>
> ><esql:pool>trafomec</esql:pool>
> ><esql:execute-query>
> ><esql:query>select distinct tabella_at.nome_at as nome_at,
> >tabella_cf.nome_cf as nome_cf from
> >tabella_at,tabella_cf,tabella_famiglia,tabella_prodotto where
> >tabella_famiglia.id_at=tabella_at.id_at and
> >tabella_famiglia.id_cf=tabella_cf.id_cf and tabella_famiglia.id_fa=4 and
> >tabella_prodotto.id_fa=4</esql:query>
> ><esql:results>
> ><esql:row-results>
> ><bl_cf>
> ><cat><esql:get-string column="nome_at"/></cat>
> ><fnc><esql:get-string column="nome_cf"/></fnc>
> ></bl_cf>
> ></esql:row-results>
> ></esql:results>
> ></esql:execute-query>
> ></esql:connection>
> ></catfun>
> ><esql:connection>
> ><esql:pool>trafomec</esql:pool>
> ><esql:execute-query>
> ><esql:query>select distinct specifiche from tabella_prodotto where
> >id_prod=4</esql:query>
> ><esql:results>
> ><esql:row-results>
> ><spec>
> ><xsp:expr>
> >String Prova;
> ></xsp:expr>
> ></spec>
> ></esql:row-results>
> ></esql:results>
> ></esql:execute-query>
> ></esql:connection>
> ></page>
> ></xsp:page>
> >
> >__________________________________________________________________
> >Dark Schneider
> >ICQ#: 13815557
> >Current ICQ status:
> >+  More ways to contact me
> >__________________________________________________________________
> >
> >
> >---------------------------------------------------------------------
> >Please check that your question  has not already been answered in the
> >FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>
> >
> >To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
> >For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>
> >
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> Please check that your question  has not already been answered in the
> FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>
>
> To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
> For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message