Search the mailing list archives for SQL injection - your page is vulnerable.
Use <esql:parameter><xsp:request:get-parameter name="num"/></esql:parameter> in your query.

I don't see a closing '>' on the <xsp:page> tag in the beginning of the file. I would have expected it to give you a different error, though.

Your problem is coming from the last <xsp:expr> in the file:

<xsp:expr>
String Prova;
</xsp:expr>


You either meant to declare a String variable Prova, for which you should do with <xsp:logic> tags, or
you meant to output "String Prova;", for which you should have used quotes.

So, it's either:
<xsp:logic>
String Prova;
</xsp:logic>

or

<xsp:expr>
"String Prova;"
</xsp:expr>

Also, it would be faster if you opened the database connection once, and then placed all your queries inside of it:

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsp:page language="java" xmlns:xsp="http://apache.org/xsp";
xmlns:esql="http://apache.org/cocoon/SQL/v2";
xmlns:xsp-request="http://apache.org/xsp/request/2.0";>

<xsp:logic>
static String replace(String str, String pattern, String replace) {
int s = 0;
int e = 0;
StringBuffer result = new StringBuffer();
while ((e = str.indexOf(pattern, s)) >= 0) {
result.append(str.substring(s, e));
result.append(replace);
s = e+pattern.length();
}
result.append(str.substring(s));
return result.toString();
}

</xsp:logic>

<page>
<esql:connection>
<esql:pool>trafomec</esql:pool>
<esql:execute-query>
<esql:query>
select distinct nome_prod, data_prod from tabella_prodotto where id_prod=
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
</esql:query>
<esql:results>
<esql:row-results>
<nomeprod><esql:get-string column="nome_prod"/></nomeprod>
<dataprod><esql:get-string column="data_prod"/></dataprod>
</esql:row-results>
</esql:results>
</esql:execute-query>

<!-- Query per la Foto -->
<tabellafoto>
<esql:execute-query>
<esql:query>
select distinct id_ufoto,link,desc_foto from tabella_foto where
id_foto=
<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
</esql:query>
<esql:results>
<esql:row-results>
<foto>
<linkfoto><esql:get-string column="link"/></linkfoto>
<descfoto><esql:get-string column="desc_foto"/></descfoto>
</foto>
</esql:row-results>
</esql:results>
</esql:execute-query>
</tabellafoto>
<catfun>
<esql:execute-query>
<esql:query>
SELECT DISTINCT tabella_at.nome_at as nome_at,
tabella_cf.nome_cf as nome_cf
FROM tabella_at, tabella_cf, tabella_famiglia, tabella_prodotto
WHERE tabella_famiglia.id_at=tabella_at.id_at AND
tabella_famiglia.id_cf=tabella_cf.id_cf AND tabella_famiglia.id_fa=4 AND
tabella_prodotto.id_fa=4
</esql:query>
<esql:results>
<esql:row-results>
<bl_cf>
<cat><esql:get-string column="nome_at"/></cat>
<fnc><esql:get-string column="nome_cf"/></fnc>
</bl_cf>
</esql:row-results>
</esql:results>
</esql:execute-query>
</catfun>
<esql:execute-query>
<esql:query>
select distinct specifiche from tabella_prodotto where id_prod=4
</esql:query>
<esql:results>
<esql:row-results>
<spec>
<xsp:expr>"String Prova;"</xsp:expr>
</spec>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>
</page>
</xsp:page>

marco scotoni wrote:

Hi, i have an error on this .xsp page but i can't solve....help plz

Error:
org.apache.cocoon.ProcessingException: Language Exception:
org.apache.cocoon.components.language.LanguageException: Error compiling
query_prod_xsp:
Line 1113, column 18: ')' expected
Line 1114, column 11: illegal start of expression
Line 1113, column 11: variable String not found in class
org.apache.cocoon.www.mount.html_pdf.query_prod_xsp
Line 0, column 0:
3 errors



Page .xsp
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- CVS: $Id: esql.xsp,v 1.4 2002/02/09 06:21:57 vgritsenko Exp $ -->
<xsp:page language="java"
xmlns:xsp="http://apache.org/xsp";
xmlns:esql="http://apache.org/cocoon/SQL/v2";
xmlns:xsp-request="http://apache.org/xsp/request/2.0";

<xsp:logic>
static String replace(String str, String pattern, String replace) {
int s = 0;
int e = 0;
StringBuffer result = new StringBuffer();
while ((e = str.indexOf(pattern, s)) >= 0) {
result.append(str.substring(s, e));
result.append(replace);
s = e+pattern.length();
}
result.append(str.substring(s));
return result.toString();
}

</xsp:logic>
<page>


<esql:connection>
<esql:pool>trafomec</esql:pool>
<esql:execute-query>
<esql:query>select distinct nome_prod, data_prod from tabella_prodotto where
id_prod=<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:parameter>
</esql:query>
<esql:results>
<esql:row-results>
<nomeprod><esql:get-string column="nome_prod"/></nomeprod>
<dataprod><esql:get-string column="data_prod"/></dataprod>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>

<!-- Query per la Foto -->
<tabellafoto>
<esql:connection>
<esql:pool>trafomec</esql:pool>
<esql:execute-query>
<esql:query>select distinct id_ufoto,link,desc_foto from tabella_foto where
id_foto=<xsp:expr>request.getParameter("num")</xsp:expr>
</esql:query>
<esql:results>
<esql:row-results>
<foto>
<linkfoto><esql:get-string column="link"/></linkfoto>
<descfoto><esql:get-string column="desc_foto"/></descfoto>
</foto>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>
</tabellafoto>
<catfun>
<esql:connection>
<esql:pool>trafomec</esql:pool>
<esql:execute-query>
<esql:query>select distinct tabella_at.nome_at as nome_at,
tabella_cf.nome_cf as nome_cf from
tabella_at,tabella_cf,tabella_famiglia,tabella_prodotto where
tabella_famiglia.id_at=tabella_at.id_at and
tabella_famiglia.id_cf=tabella_cf.id_cf and tabella_famiglia.id_fa=4 and
tabella_prodotto.id_fa=4</esql:query>
<esql:results>
<esql:row-results>
<bl_cf>
<cat><esql:get-string column="nome_at"/></cat>
<fnc><esql:get-string column="nome_cf"/></fnc>
</bl_cf>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>
</catfun>
<esql:connection>
<esql:pool>trafomec</esql:pool>
<esql:execute-query>
<esql:query>select distinct specifiche from tabella_prodotto where
id_prod=4</esql:query>
<esql:results>
<esql:row-results>
<spec>
<xsp:expr>
String Prova;
</xsp:expr>
</spec>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>
</page>
</xsp:page>

__________________________________________________________________
Dark Schneider
ICQ#: 13815557
Current ICQ status:
+ More ways to contact me
__________________________________________________________________


---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail: <[EMAIL PROTECTED]>




---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

Reply via email to