cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ilya A. Kriveshko" <i...@kaon.com>
Subject Re: XSP+logic
Date Thu, 07 Nov 2002 15:45:05 GMT
Search the mailing list archives for SQL injection - your page is 
vulnerable.
Use <esql:parameter><xsp:request:get-parameter 
name="num"/></esql:parameter> in your query.

I don't see a closing '>' on the <xsp:page> tag in the beginning of the 
file. I would have expected it to give you a different error, though.

Your problem is coming from the last <xsp:expr> in the file:

<xsp:expr>
  String Prova;
</xsp:expr>


You either meant to declare a String variable Prova, for which you 
should do with <xsp:logic> tags, or
you meant to output "String Prova;", for which you should have used quotes.

So, it's either:
<xsp:logic>
  String Prova;
</xsp:logic>

or

<xsp:expr>
  "String Prova;"
</xsp:expr>

Also, it would be faster if you opened the database connection once, and 
then placed all your queries inside of it:

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsp:page language="java" xmlns:xsp="http://apache.org/xsp"
  xmlns:esql="http://apache.org/cocoon/SQL/v2"
  xmlns:xsp-request="http://apache.org/xsp/request/2.0">

  <xsp:logic>
    static String replace(String str, String pattern, String replace) {
        int s = 0;
        int e = 0;
        StringBuffer result = new StringBuffer();
        while ((e = str.indexOf(pattern, s)) >= 0) {
            result.append(str.substring(s, e));
            result.append(replace);
            s = e+pattern.length();
        }
        result.append(str.substring(s));
        return result.toString();
    }

  </xsp:logic>

  <page>
    <esql:connection>
      <esql:pool>trafomec</esql:pool>
      <esql:execute-query>
        <esql:query>
          select distinct nome_prod, data_prod from tabella_prodotto 
where id_prod=
          
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
        </esql:query>
        <esql:results>
          <esql:row-results>
            <nomeprod><esql:get-string column="nome_prod"/></nomeprod>
            <dataprod><esql:get-string column="data_prod"/></dataprod>
          </esql:row-results>
        </esql:results>
      </esql:execute-query>

      <!-- Query per la Foto -->
      <tabellafoto>
        <esql:execute-query>
          <esql:query>
            select distinct id_ufoto,link,desc_foto from tabella_foto where
            id_foto=
            
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
          </esql:query>
          <esql:results>
            <esql:row-results>
              <foto>
                <linkfoto><esql:get-string column="link"/></linkfoto>
                <descfoto><esql:get-string column="desc_foto"/></descfoto>
              </foto>
            </esql:row-results>
          </esql:results>
        </esql:execute-query>
      </tabellafoto>
      <catfun>
        <esql:execute-query>
          <esql:query>
            SELECT DISTINCT tabella_at.nome_at as nome_at,
                            tabella_cf.nome_cf as nome_cf
              FROM tabella_at, tabella_cf, tabella_famiglia, 
tabella_prodotto
              WHERE tabella_famiglia.id_at=tabella_at.id_at AND
                    tabella_famiglia.id_cf=tabella_cf.id_cf AND 
tabella_famiglia.id_fa=4 AND
                    tabella_prodotto.id_fa=4
          </esql:query>
          <esql:results>
            <esql:row-results>
              <bl_cf>
                <cat><esql:get-string column="nome_at"/></cat>
                <fnc><esql:get-string column="nome_cf"/></fnc>
              </bl_cf>
            </esql:row-results>
          </esql:results>
        </esql:execute-query>
      </catfun>
   
      <esql:execute-query>
        <esql:query>
          select distinct specifiche from tabella_prodotto where id_prod=4
        </esql:query>
        <esql:results>
          <esql:row-results>
            <spec>
              <xsp:expr>"String Prova;"</xsp:expr>
            </spec>
          </esql:row-results>
        </esql:results>
      </esql:execute-query>
    </esql:connection>
  </page>
</xsp:page>

marco scotoni wrote:

>Hi, i have an error on this .xsp page but i can't solve....help plz
>
>Error:
>org.apache.cocoon.ProcessingException: Language Exception:
>org.apache.cocoon.components.language.LanguageException: Error compiling
>query_prod_xsp:
>Line 1113, column 18:  ')' expected
>Line 1114, column 11:  illegal start of expression
>Line 1113, column 11:  variable String not found in class
>org.apache.cocoon.www.mount.html_pdf.query_prod_xsp
>Line 0, column 0:
>3 errors
>
>
>
>Page .xsp
><?xml version="1.0" encoding="ISO-8859-1"?>
><!-- CVS: $Id: esql.xsp,v 1.4 2002/02/09 06:21:57 vgritsenko Exp $ -->
><xsp:page language="java"
>xmlns:xsp="http://apache.org/xsp"
>xmlns:esql="http://apache.org/cocoon/SQL/v2"
>xmlns:xsp-request="http://apache.org/xsp/request/2.0"
>  
>
><xsp:logic>
>static String replace(String str, String pattern, String replace) {
>int s = 0;
>int e = 0;
>StringBuffer result = new StringBuffer();
>while ((e = str.indexOf(pattern, s)) >= 0) {
>result.append(str.substring(s, e));
>result.append(replace);
>s = e+pattern.length();
>}
>result.append(str.substring(s));
>return result.toString();
>}
>
></xsp:logic>
><page>
>
>
><esql:connection>
><esql:pool>trafomec</esql:pool>
><esql:execute-query>
><esql:query>select distinct nome_prod, data_prod from tabella_prodotto where
>id_prod=<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
></esql:query>
><esql:results>
><esql:row-results>
><nomeprod><esql:get-string column="nome_prod"/></nomeprod>
><dataprod><esql:get-string column="data_prod"/></dataprod>
></esql:row-results>
></esql:results>
></esql:execute-query>
></esql:connection>
>
><!-- Query per la Foto -->
><tabellafoto>
><esql:connection>
><esql:pool>trafomec</esql:pool>
><esql:execute-query>
><esql:query>select distinct id_ufoto,link,desc_foto from tabella_foto where
>id_foto=<xsp:expr>request.getParameter("num")</xsp:expr>
></esql:query>
><esql:results>
><esql:row-results>
><foto>
><linkfoto><esql:get-string column="link"/></linkfoto>
><descfoto><esql:get-string column="desc_foto"/></descfoto>
></foto>
></esql:row-results>
></esql:results>
></esql:execute-query>
></esql:connection>
></tabellafoto>
><catfun>
><esql:connection>
><esql:pool>trafomec</esql:pool>
><esql:execute-query>
><esql:query>select distinct tabella_at.nome_at as nome_at,
>tabella_cf.nome_cf as nome_cf from
>tabella_at,tabella_cf,tabella_famiglia,tabella_prodotto where
>tabella_famiglia.id_at=tabella_at.id_at and
>tabella_famiglia.id_cf=tabella_cf.id_cf and tabella_famiglia.id_fa=4 and
>tabella_prodotto.id_fa=4</esql:query>
><esql:results>
><esql:row-results>
><bl_cf>
><cat><esql:get-string column="nome_at"/></cat>
><fnc><esql:get-string column="nome_cf"/></fnc>
></bl_cf>
></esql:row-results>
></esql:results>
></esql:execute-query>
></esql:connection>
></catfun>
><esql:connection>
><esql:pool>trafomec</esql:pool>
><esql:execute-query>
><esql:query>select distinct specifiche from tabella_prodotto where
>id_prod=4</esql:query>
><esql:results>
><esql:row-results>
><spec>
><xsp:expr>
>String Prova;
></xsp:expr>
></spec>
></esql:row-results>
></esql:results>
></esql:execute-query>
></esql:connection>
></page>
></xsp:page>
>
>__________________________________________________________________
>Dark Schneider
>ICQ#: 13815557
>Current ICQ status:
>+  More ways to contact me
>__________________________________________________________________
>
>
>---------------------------------------------------------------------
>Please check that your question  has not already been answered in the
>FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>
>
>To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
>For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>
>
>
>  
>



---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message