package kr.co.kihyun.beans.user; //import kr.co.kihyun.tree.*; //import java.sql.ResultSet; import java.io.IOException; import java.io.PrintWriter; import java.sql.SQLException; //import javax.servlet.ServletException; //import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import kr.co.kihyun.beans.entity.SubmitReport; //import kr.co.kihyun.lang.Encoder; //import kr.co.kihyun.lang.MInteger; //import kr.co.kihyun.lang.MLong; import kr.co.kihyun.moumi.MoumiConfig; import kr.co.kihyun.db.DBManager; import kr.co.kihyun.lang.MString; //import kr.co.kihyun.beans.user.HttpSSOLogin; import kr.co.kihyun.text.html.ServletUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class UserApproModify extends DBManager { private static final Logger LOG = LoggerFactory.getLogger(UserApproModify.class); public UserApproModify(HttpServletRequest req,HttpServletResponse res) { String userId=null; String docID=null; String deptID=null; String userID=null; String Appro=null; String reportID=null; String reportType=null; String[] reportIDList = null; String[] userIDList = null; String strGubun = null; String usID = HttpSSOLogin.getLoginID(req); int sysAuth; PrintWriter out=null; try { res.setContentType("text/html;charset=UTF-8"); out = res.getWriter(); if(!HttpSSOLogin.isLogin(req)) { String connURL = "location='/totsys/login/login.jsp';"; out.println(ServletUtil.getJavaScript(connURL)); return; } reportID=MString.checkNull(req.getParameter("reportID"),"null"); userId=MString.checkNull(req.getParameter("userID"),null); reportType= MString.checkNull(req.getParameter("reportType"),"null"); strGubun = MString.checkNull(req.getParameter("strGubun"),"null"); userIDList = userId.split(","); reportIDList = reportID.split(","); SubmitReport submitReport = new SubmitReport(); submitReport.getSysAuth(usID); sysAuth = submitReport.getAuthNum(); String tmpSysAuth = Integer.toString(sysAuth); for(int i = 1; i < userIDList.length; i++){ //System.out.print("usID:::"+usID+"::::sysAuth::"+tmpSysAuth+"\n"); String tmpStr = userIDList[i].replace(" ",""); String tmpSysAuthRlpc = tmpSysAuth.replace(" ",""); String tmpGubun = strGubun.replace(" ",""); int j=0; j = i-1; if(usID.equals(tmpStr)){ String sql="UPDATE MOUMI_TOT_REPORT SET APPRO=? WHERE ID=?"; //System.out.println("user::sql:::::"+sql+"::strGubun:::"+strGubun+":::id:"+reportIDList[j]); execUpdate(sql,strGubun,reportIDList[j]); if(tmpGubun.equals("1")){ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModify"))); }else{ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approCancel"))); } out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); }else if(tmpSysAuthRlpc.equals("5")){ String sql="UPDATE MOUMI_TOT_REPORT SET APPRO=? WHERE ID=?"; //System.out.println("admin 5::sql:::::"+sql+"::strGubun:::"+strGubun+":::id:"+reportIDList[j]); execUpdate(sql,strGubun,reportIDList[j]); if(tmpGubun.equals("1")){ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModify"))); }else{ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approCancel"))); } out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); }else if(tmpSysAuthRlpc.equals("7")){ String sql="UPDATE MOUMI_TOT_REPORT SET APPRO=? WHERE ID=?"; //System.out.println("admin 7::sql:::::"+sql+"::strGubun:::"+strGubun+":::id:"+reportIDList[j]); execUpdate(sql,strGubun,reportIDList[j]); if(tmpGubun.equals("1")){ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModify"))); }else{ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approCancel"))); } out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); }else if(tmpSysAuthRlpc.equals("9")){ String sql="UPDATE MOUMI_TOT_REPORT SET APPRO=? WHERE ID=?"; //System.out.println("admin 9::sql:::::"+sql+"::strGubun:::"+strGubun+":::id:"+reportIDList[j]); execUpdate(sql,strGubun,reportIDList[j]); if(tmpGubun.equals("1")){ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModify"))); }else{ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approCancel"))); } out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); }else{ out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModifyNoPer"))); out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); } } //44.적절하지 않은 예외처리(광범위예외클래스)_CWE-754 Add by YOUNGJUN,CHO }catch (IOException ioex){ ioex.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModifyCancel"))); out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); }catch (SQLException sqlex){ sqlex.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModifyCancel"))); out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); //++++++++++++++++++++++++++++++++++++++++++++++++ }catch (Exception e){ e.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.tot_doc.approModifyCancel"))); //v2. 9.크로스사이트 스크립트 (PrintWrier) : Update by KWON,HAN // out.println(ServletUtil.redirect("/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType)); // 수정 : 외부 입력값 필터링 String callbackFunc = "/totsys/repoper/mydocbox/endbox/report_list.jsp?reload=yes&reportID="+reportID+"&reportType="+reportType; String filtered_callbackFunc = callbackFunc.replaceAll("<","").replaceAll(">","").replaceAll(",",""); LOG.debug("v2 9.크로스사이트 스크립트 (PrintWrier) : UserApproModify.UserApproModify() filtered_callbackFunc={}, Not Test", filtered_callbackFunc); out.println(ServletUtil.redirect(filtered_callbackFunc)); //======================================== } finally { execClose(); } } }