Commit b74f259b by Kim Gyeongeun

#58990 #1. SQL インジェクションの影響を受ける可能性がある

#58991 #2. XSS(反射型)の影響を受ける可能性がある
parent f6ca2aaf
......@@ -9,6 +9,7 @@ import javax.mail.MessagingException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.RandomStringUtils;
import org.seasar.extension.jdbc.AutoSelect;
import org.seasar.extension.jdbc.where.ComplexWhere;
import org.seasar.extension.jdbc.where.SimpleWhere;
import org.seasar.framework.beans.util.BeanMap;
import org.seasar.framework.beans.util.Beans;
......@@ -93,10 +94,15 @@ public class MemberService extends AbstractService<Member> {
*/
public List<Member> findByEmail(String email) {
//入力されたemailでsub_pc_email,main_pc_emailともに検索する。
return jdbcManager.from(Member.class).where(" '"+email+"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
,Integer.parseInt(SinaburoConstant.DelFlg.NOT_DEL)
,SinaburoConstant.ValidFlg.VALID
).getResultList();
// return jdbcManager.from(Member.class).where(" '"+email+"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
// ,Integer.parseInt(SinaburoConstant.DelFlg.NOT_DEL)
// ,SinaburoConstant.ValidFlg.VALID
// ).getResultList();
// 脆弱性対応
return select().where(new SimpleWhere().eq("delFlg", SinaburoConstant.DelFlg.NOT_DEL).eq("validFlg", SinaburoConstant.ValidFlg.VALID),
new ComplexWhere().eq("mainPcEmail", email)
.or()
.eq("subPcEmail", email)).getResultList();
}
......
......@@ -111,10 +111,11 @@
<tr>
<td>生年月日</td>
<td>
#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
#else 未選択
#end
#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
#if($yyyymmdd.length() != 0)
#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
#else 未選択
#end
</td>
</tr>
<tr>
......@@ -123,12 +124,12 @@
</tr>
<tr>
<td>ポイント</td>
<td>$!escape.html($!memberEditForm.point)
<td>#he($!memberEditForm.point)
</td>
</tr>
<tr style="vertical-align:top">
<td style="vertical-align:top" >メモ</td>
<td>$!escape.html($!memberEditForm.memo)
<td>#he($!memberEditForm.memo)
</td>
</tr>
......@@ -140,9 +141,9 @@
</div>
##</div>
#makeToken()
<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
</form>
</div>
</div>
......
......@@ -242,14 +242,14 @@
</tr>
<tr>
<td>ポイント<font class="listpoint">*</font></td>
<td><input name="point" type="text" / class="w250" value="$!escape.html($!memberEditForm.point)">
<td><input name="point" type="text" / class="w250" value='#he("$!{memberEditForm.point}")'>
<BR>$!tools.getMsg("point")
</td>
</tr>
<tr>
<td style="vertical-align:top" >メモ</td>
<td>
<textarea name="memo" cols="35" rows="5" class="w180 mgt5">$!memberEditForm.memo</textarea>
<textarea name="memo" cols="35" rows="5" class="w180 mgt5">#he($!memberEditForm.memo)</textarea>
<BR>$!tools.getMsg("memo")
</td>
</tr>
......@@ -267,11 +267,11 @@
</div>
##</div>
#makeToken()
<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
<input type="hidden" name="memberId" value="$!memberEditForm.memberId">
<input type="hidden" name="withDrawFlgBefore" value="$!memberEditForm.withDrawFlgBefore">
<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
<input type="hidden" name="memberId" value='#he("$!{memberEditForm.memberId}")'>
<input type="hidden" name="withDrawFlgBefore" value='#he("$!{memberEditForm.withDrawFlgBefore}")'>
</form>
</div>
......
......@@ -220,14 +220,14 @@
## </tr>
<tr>
<td>ポイント<font class="listpoint">*</font></td>
<td><input name="point" type="text" / class="w250" value="$!escape.html($!memberEditForm.point)">
<td><input name="point" type="text" / class="w250" value='#he("$!{memberEditForm.point}")'>
<BR>$!tools.getMsg("point")
</td>
</tr>
<tr>
<td style="vertical-align:top" >メモ</td>
<td>
<textarea name="memo" cols="35" rows="5" class="w180 mgt5">$!memberEditForm.memo</textarea>
<textarea name="memo" cols="35" rows="5" class="w180 mgt5">#he($!memberEditForm.memo)</textarea>
<BR>$!tools.getMsg("memo")
</td>
</tr>
......@@ -242,10 +242,10 @@
<button class="button" onclick="send_check(); return false;">入力情報確認</button>
</div>
##</div>
<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
<input type="hidden" name="memberId" value="$!memberEditForm.memberId">
<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
<input type="hidden" name="memberId" value='#he("$!{memberEditForm.memberId}")'>
</form>
</div>
......
......@@ -106,8 +106,9 @@
<tr>
<td style="vertical-align:top">生年月日</td>
<td>
#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
#if($yyyymmdd.length() != 0)
#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
#else 未選択
#end
</td>
......@@ -119,12 +120,12 @@
## </tr>
<tr>
<td>ポイント</td>
<td>$!escape.html($!memberEditForm.point)
<td>#he($!memberEditForm.point)
</td>
</tr>
<tr>
<td style="vertical-align:top" >メモ</td>
<td>$!escape.html($!memberEditForm.memo)
<td>#he($!memberEditForm.memo)
</td>
</tr>
......@@ -136,9 +137,9 @@
</div>
##</div>
#makeToken()
<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
</form>
</div>
</div>
......
......@@ -88,7 +88,7 @@ function formClear(form_obj){
<tr>
<td class="w100">電話</td>
<td><input name="telNo" type="text" class="w180 mgl10" value="$!escape.html($!memberSearchForm.telNo)">&nbsp;を含む</td>
<td class="w100">性別$!memberSearchForm.genderCd</td>
<td class="w100">性別#he($!memberSearchForm.genderCd)</td>
<td>
<select name="genderCd" id="genderCd" class="w100 mgl10">
<option value=""></option>
......
......@@ -38,19 +38,19 @@
#end
<h3 class="table_title">管理者情報 </h3>
<form method="POST" action="#q('/admin/setting/adminRegist/confirm/')" >
<input type="hidden" name="clickedLoginId" id="clickedLoginId" value="$!clickedLoginId"/>
<input type="hidden" name="clickedLoginId" id="clickedLoginId" value='#he("$!{clickedLoginId}")'/>
#if($adminUserIndex)
#set($adminUser = $adminRegistForm.adminUserList.get($adminUserIndex))
#end
<input type="hidden" name="updateFlag" id="updateFlag" value="$!adminRegistForm.updateFlag"/>
<input type="hidden" name="pageNo" id="pageNo" value="${pageNo}"/>
<input type="hidden" name="updateFlag" id="updateFlag" value='#he("$!{adminRegistForm.updateFlag}")'/>
<input type="hidden" name="pageNo" id="pageNo" value='#he("$!{pageNo}")'/>
<table border="0" cellpadding="0" cellspacing="0" class="stripe2 mgb10 w840">
<tr>
<td class="w240 t_center">ログインID<font class="listpoint">*</font></td>
<td class="w600 t_left" colspan="2"><input name="loginId" type="text" class="w230" value="$!escape.html($!{adminRegistForm.loginId})"/><BR>$tools.getMsg("loginId") $tools.getMsg("repetLoginId")
<input name="adminUserId" type="hidden" value="$!{adminUserId}"/>
<input name="delFlg" type="hidden" value="$!{delFlg}"/>
<input name="adminUserId" type="hidden" value='#he("$!{adminUserId}")'/>
<input name="delFlg" type="hidden" value='#he("$!{delFlg}")'/>
</td>
</tr>
<tr>
......
......@@ -39,10 +39,10 @@
<div id="right_contents">
<h3 class="table_title">管理者#if($!adminRegistForm.updateFlag=="update")編集#else登録#end確認</h3>
<form method="POST" action="#q('/admin/setting/adminRegist/regist/')" >
<input type="hidden" name="loginIdFromList" id="loginIdFromList" value="$!loginIdFromList"/>
<input type="hidden" name="clickedLoginId" id="clickedLoginId" value="$!clickedLoginId"/>
<input type="hidden" name="updateFlag" id="updateFlag" value="$!adminRegistForm.updateFlag"/>
<input type="hidden" name="pageNo" id="pageNo" value="${pageNo}"/>
<input type="hidden" name="loginIdFromList" id="loginIdFromList" value='#he("$!{loginIdFromList}")'/>
<input type="hidden" name="clickedLoginId" id="clickedLoginId" value='#he("$!{clickedLoginId}")'/>
<input type="hidden" name="updateFlag" id="updateFlag" value='#he("$!{adminRegistForm.updateFlag}")'/>
<input type="hidden" name="pageNo" id="pageNo" value='#he("$!{pageNo}")'/>
<table border="0" cellpadding="0" cellspacing="0" class="stripe2 mgb30 w850">
......@@ -65,12 +65,12 @@
</tr>
##<tr>
##<td class="w840 t_center" colspan="2">
## <input type="hidden" name="adminUserId" value="$!{adminRegistForm.adminUserId}"/>
## <input type="hidden" name="loginId" value="$!{adminRegistForm.loginId}"/>
## <input type="hidden" name="password" value="$!{adminRegistForm.password}"/>
## <input type="hidden" name="adminUserName" value="$!{adminRegistForm.adminUserName}"/>
## <input type="hidden" name="email" value="$!{adminRegistForm.email}"/>
<input type="hidden" name="delFlg" value="$!{adminRegistForm.delFlg}"/>
## <input type="hidden" name="adminUserId" value='#he("$!{adminUserId}")'/>
## <input type="hidden" name="loginId" value='#he("$!{adminRegistForm.loginId}")'/>
## <input type="hidden" name="password" value='#he("$!{adminRegistForm.password}")'/>
## <input type="hidden" name="adminUserName" value='#he("$!{adminRegistForm.adminUserName}")'/>
## <input type="hidden" name="email" value='#he("$!{adminRegistForm.email}")'/>
<input type="hidden" name="delFlg" value='#he("$!{adminRegistForm.delFlg}")'/>
##<input type="button" class="button" onclick="back();" value="戻る"/>&nbsp;&nbsp;<input type="submit" class="button" value="登録"/>
##</td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment