Thx the problem is that i have to replace a substring from the result of query...
but there arent methods or tag to do it... ----- Original Message ----- From: "Ilya A. Kriveshko" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 07, 2002 4:45 PM Subject: Re: XSP+logic > Search the mailing list archives for SQL injection - your page is > vulnerable. > Use <esql:parameter><xsp:request:get-parameter > name="num"/></esql:parameter> in your query. > > I don't see a closing '>' on the <xsp:page> tag in the beginning of the > file. I would have expected it to give you a different error, though. > > Your problem is coming from the last <xsp:expr> in the file: > > <xsp:expr> > String Prova; > </xsp:expr> > > > You either meant to declare a String variable Prova, for which you > should do with <xsp:logic> tags, or > you meant to output "String Prova;", for which you should have used quotes. > > So, it's either: > <xsp:logic> > String Prova; > </xsp:logic> > > or > > <xsp:expr> > "String Prova;" > </xsp:expr> > > Also, it would be faster if you opened the database connection once, and > then placed all your queries inside of it: > > <?xml version="1.0" encoding="ISO-8859-1"?> > <xsp:page language="java" xmlns:xsp="http://apache.org/xsp"; > xmlns:esql="http://apache.org/cocoon/SQL/v2"; > xmlns:xsp-request="http://apache.org/xsp/request/2.0";> > > <xsp:logic> > static String replace(String str, String pattern, String replace) { > int s = 0; > int e = 0; > StringBuffer result = new StringBuffer(); > while ((e = str.indexOf(pattern, s)) >= 0) { > result.append(str.substring(s, e)); > result.append(replace); > s = e+pattern.length(); > } > result.append(str.substring(s)); > return result.toString(); > } > > </xsp:logic> > > <page> > <esql:connection> > <esql:pool>trafomec</esql:pool> > <esql:execute-query> > <esql:query> > select distinct nome_prod, data_prod from tabella_prodotto > where id_prod= > > <esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:param eter> > </esql:query> > <esql:results> > <esql:row-results> > <nomeprod><esql:get-string column="nome_prod"/></nomeprod> > <dataprod><esql:get-string column="data_prod"/></dataprod> > </esql:row-results> > </esql:results> > </esql:execute-query> > > <!-- Query per la Foto --> > <tabellafoto> > <esql:execute-query> > <esql:query> > select distinct id_ufoto,link,desc_foto from tabella_foto where > id_foto= > > <esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></esql:param eter> > </esql:query> > <esql:results> > <esql:row-results> > <foto> > <linkfoto><esql:get-string column="link"/></linkfoto> > <descfoto><esql:get-string column="desc_foto"/></descfoto> > </foto> > </esql:row-results> > </esql:results> > </esql:execute-query> > </tabellafoto> > <catfun> > <esql:execute-query> > <esql:query> > SELECT DISTINCT tabella_at.nome_at as nome_at, > tabella_cf.nome_cf as nome_cf > FROM tabella_at, tabella_cf, tabella_famiglia, > tabella_prodotto > WHERE tabella_famiglia.id_at=tabella_at.id_at AND > tabella_famiglia.id_cf=tabella_cf.id_cf AND > tabella_famiglia.id_fa=4 AND > tabella_prodotto.id_fa=4 > </esql:query> > <esql:results> > <esql:row-results> > <bl_cf> > <cat><esql:get-string column="nome_at"/></cat> > <fnc><esql:get-string column="nome_cf"/></fnc> > </bl_cf> > </esql:row-results> > </esql:results> > </esql:execute-query> > </catfun> > > <esql:execute-query> > <esql:query> > select distinct specifiche from tabella_prodotto where id_prod=4 > </esql:query> > <esql:results> > <esql:row-results> > <spec> > <xsp:expr>"String Prova;"</xsp:expr> > </spec> > </esql:row-results> > </esql:results> > </esql:execute-query> > </esql:connection> > </page> > </xsp:page> > > marco scotoni wrote: > > >Hi, i have an error on this .xsp page but i can't solve....help plz > > > >Error: > >org.apache.cocoon.ProcessingException: Language Exception: > >org.apache.cocoon.components.language.LanguageException: Error compiling > >query_prod_xsp: > >Line 1113, column 18: ')' expected > >Line 1114, column 11: illegal start of expression > >Line 1113, column 11: variable String not found in class > >org.apache.cocoon.www.mount.html_pdf.query_prod_xsp > >Line 0, column 0: > >3 errors > > > > > > > >Page .xsp > ><?xml version="1.0" encoding="ISO-8859-1"?> > ><!-- CVS: $Id: esql.xsp,v 1.4 2002/02/09 06:21:57 vgritsenko Exp $ --> > ><xsp:page language="java" > >xmlns:xsp="http://apache.org/xsp"; > >xmlns:esql="http://apache.org/cocoon/SQL/v2"; > >xmlns:xsp-request="http://apache.org/xsp/request/2.0"; > > > > > ><xsp:logic> > >static String replace(String str, String pattern, String replace) { > >int s = 0; > >int e = 0; > >StringBuffer result = new StringBuffer(); > >while ((e = str.indexOf(pattern, s)) >= 0) { > >result.append(str.substring(s, e)); > >result.append(replace); > >s = e+pattern.length(); > >} > >result.append(str.substring(s)); > >return result.toString(); > >} > > > ></xsp:logic> > ><page> > > > > > ><esql:connection> > ><esql:pool>trafomec</esql:pool> > ><esql:execute-query> > ><esql:query>select distinct nome_prod, data_prod from tabella_prodotto where > >id_prod=<esql:parameter><xsp:expr>request.getParameter("num")</xsp:expr></e sql:parameter> > ></esql:query> > ><esql:results> > ><esql:row-results> > ><nomeprod><esql:get-string column="nome_prod"/></nomeprod> > ><dataprod><esql:get-string column="data_prod"/></dataprod> > ></esql:row-results> > ></esql:results> > ></esql:execute-query> > ></esql:connection> > > > ><!-- Query per la Foto --> > ><tabellafoto> > ><esql:connection> > ><esql:pool>trafomec</esql:pool> > ><esql:execute-query> > ><esql:query>select distinct id_ufoto,link,desc_foto from tabella_foto where > >id_foto=<xsp:expr>request.getParameter("num")</xsp:expr> > ></esql:query> > ><esql:results> > ><esql:row-results> > ><foto> > ><linkfoto><esql:get-string column="link"/></linkfoto> > ><descfoto><esql:get-string column="desc_foto"/></descfoto> > ></foto> > ></esql:row-results> > ></esql:results> > ></esql:execute-query> > ></esql:connection> > ></tabellafoto> > ><catfun> > ><esql:connection> > ><esql:pool>trafomec</esql:pool> > ><esql:execute-query> > ><esql:query>select distinct tabella_at.nome_at as nome_at, > >tabella_cf.nome_cf as nome_cf from > >tabella_at,tabella_cf,tabella_famiglia,tabella_prodotto where > >tabella_famiglia.id_at=tabella_at.id_at and > >tabella_famiglia.id_cf=tabella_cf.id_cf and tabella_famiglia.id_fa=4 and > >tabella_prodotto.id_fa=4</esql:query> > ><esql:results> > ><esql:row-results> > ><bl_cf> > ><cat><esql:get-string column="nome_at"/></cat> > ><fnc><esql:get-string column="nome_cf"/></fnc> > ></bl_cf> > ></esql:row-results> > ></esql:results> > ></esql:execute-query> > ></esql:connection> > ></catfun> > ><esql:connection> > ><esql:pool>trafomec</esql:pool> > ><esql:execute-query> > ><esql:query>select distinct specifiche from tabella_prodotto where > >id_prod=4</esql:query> > ><esql:results> > ><esql:row-results> > ><spec> > ><xsp:expr> > >String Prova; > ></xsp:expr> > ></spec> > ></esql:row-results> > ></esql:results> > ></esql:execute-query> > ></esql:connection> > ></page> > ></xsp:page> > > > >__________________________________________________________________ > >Dark Schneider > >ICQ#: 13815557 > >Current ICQ status: > >+ More ways to contact me > >__________________________________________________________________ > > > > > >--------------------------------------------------------------------- > >Please check that your question has not already been answered in the > >FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> > > > >To unsubscribe, e-mail: <[EMAIL PROTECTED]> > >For additional commands, e-mail: <[EMAIL PROTECTED]> > > > > > > > > > > > > --------------------------------------------------------------------- > Please check that your question has not already been answered in the > FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> > > To unsubscribe, e-mail: <[EMAIL PROTECTED]> > For additional commands, e-mail: <[EMAIL PROTECTED]> --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
