package kr.co.kihyun.tree; import java.io.IOException; import java.io.PrintWriter; import java.sql.SQLException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import kr.co.kihyun.lang.MInteger; import kr.co.kihyun.moumi.MoumiConfig; import kr.co.kihyun.db.DBManager; import kr.co.kihyun.lang.MString; import kr.co.kihyun.beans.user.HttpSSOLogin; import kr.co.kihyun.text.html.ServletUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class UserModify extends DBManager { private static final Logger LOG = LoggerFactory.getLogger(UserModify.class); public UserModify(HttpServletRequest req,HttpServletResponse res) { String userId=null; PrintWriter out=null; try { res.setContentType("text/html;charset=UTF-8"); out = res.getWriter(); if(!HttpSSOLogin.isLogin(req)) { String connURL = "location='/totsys/login/login.jsp';"; out.println(ServletUtil.getJavaScript(connURL)); return; } String deptId=MString.checkNull(req.getParameter("deptID"),"null"); userId=MString.checkNull(req.getParameter("userID"),null); String userName=MString.checkNull(req.getParameter("userName"),"null"); String dutyName=MString.checkNull(req.getParameter("dutyName"),"null"); String phone=MString.checkNull(req.getParameter("phone"),"null"); String email=MString.checkNull(req.getParameter("email"),"null"); if(deptId.equals("null")) { deptId=null; } if(userId.equals("null")) { userId=null; } if(userName.equals("null")) { userName=null; } if(dutyName.equals("null")) { dutyName=null; } if(phone.equals("null")) { phone=null; } if(email.equals("null")) { email=null; } if(deptId!=null && deptId.equals("ROOT")) { deptId=null; } int priority=MInteger.parseInt(req.getParameter("priority")); int sysAuth=MInteger.parseInt(req.getParameter("sysAuth")); String sql="UPDATE MOUMI_MUSER SET NAME=?,EMAIL=?,PHONE=?,DUTY_NAME=?,"; sql+="PRIORITY=?,SYS_AUTH=?,DEPT_ID=? WHERE ID=?"; execUpdate(sql,userName,email,phone,dutyName,priority,sysAuth,deptId,userId); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.popup.coporationChange"))); out.println(ServletUtil.redirect("/totsys/sysadm/user/user_view.jsp?reload=yes&userID="+userId)); //44.적절하지 않은 예외처리(광범위예외클래스)_CWE-754 : Add by YOUNGJUN,CHO } catch (IOException ioex) { ioex.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.popup.notCoporationChangeAdmin"))); out.println(ServletUtil.redirect("/totsys/sysadm/user/user_view.jsp?reload=yes&userID="+userId)); } catch (SQLException sqlex) { sqlex.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.popup.notCoporationChangeAdmin"))); out.println(ServletUtil.redirect("/totsys/sysadm/user/user_view.jsp?reload=yes&userID="+userId)); //++++++++++++++++++++++++++++++++++++++++++++++++ } catch (Exception e) { e.printStackTrace(); out.println(ServletUtil.alert(MoumiConfig.getMessageBundle().getString("moumi.message.popup.notCoporationChangeAdmin"))); //v2. 9.크로스사이트 스크립트 (PrintWrier) : Update by KWON,HAN // out.println(ServletUtil.redirect("/totsys/sysadm/user/user_view.jsp?reload=yes&userID="+userId)); // 수정 : 외부 입력값 필터링 String callbackFunc = "/totsys/sysadm/user/user_view.jsp?reload=yes&userID="+userId; String filtered_callbackFunc = callbackFunc.replaceAll("<","").replaceAll(">","").replaceAll(",",""); LOG.debug("v2 9.크로스사이트 스크립트 (PrintWrier) : UserModify.UserModify() filtered_callbackFunc={}, Not Test", filtered_callbackFunc); out.println(ServletUtil.redirect(filtered_callbackFunc)); //======================================== } finally { execClose(); } } }