JSPHTML代码规范.doc

1.错误代码 String username = abc; String sql = select * from t_user where user_name = \’ + username + \’; Statement stmt = conn.createStatement(sql); Stmt.executeQuery(); 正确代码 1.使用参数绑定方式（推荐） String username = abc; String sql = select * from t_user where user_name = ?; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, username); stmt.executeQuery(); 2.使用escapeSQL的方式（如果很难改成参数绑定方式使用该方式） String username = abc; String sql = select * from t_user where user_name = \’ + StringUtils.escapeSQL(username) + \’; Statement stmt = conn.createStatement(sql); Stmt.executeQuery(); 2.错误代码 String username = request.getParameter(user_name); String userid = request.getParameter(user_id); String sql = update t_user set user_name = ? where user_id = ?; PreparedStatement stmt = conn.preparedStatement(sql); Stmt.setString(1, username); Stmt.setInt(2, userid); stmt.executeUpdate(); 正确代码 （仅作为参考，不考虑效率以及框架的规范，请参照项目现行的框架规范进行改进） String username = request.getParameter(user_name); String userid = request.getParameter(user_id); if (username == null || username.trim().length() == 0) { throw new Exception(User name cannot be null.); } if (username.getBytes().length 20) { throw new Exception(Max length of user name is 20); } int userId = -1; try { userId = Integer.parseInt(userid); } catch (Exception e) { throw new Exception(User ID cannot be null and must be a integer.); } String sql = update t_user set user_name = ? where user_id = ?; PreparedStatement stmt = conn.preparedStatement(sql); Stmt.setString(1, username); Stmt.setInt(2, userId); stmt.executeUpdate(); 考虑到该修改涉及到的范围基本覆盖所有代码，建议建立新的Form校验解决方案以彻底解决该问题。 1.错误代码 JavaScript中 var url=updateCodeList.do?tableName=+tableName+whereClause=+whereClause; form.action=url; form.submit(); Java代码中 String tableName= request.getParameter(tableName); String whereClause = request.getParameter(“whereClause) String sql = select * from + tableName + where + whereClause; //…some db query code 正确代码 JavaScript中 var url = updateCodeList.do?dataSour