Atitit.提升电子商务安全性 在线充值功能安全方面的设计
1. 防止dataservcie对充值订单表的直接改写,只能通过api,不能通过sql1
1.2. 判断是否有此订单,否则CantFindRechargeOrderEx1
1.3. 如果订单状态有无。throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);1
1.4. 判断次订单是否处理过。。if (finished(order_id))1
1.6. 判断来路money是否与数据库内的相同FeeNotEquEx2
1.7. 判断订单修改状态,如果不为1 OrderFinishEx2
1. 防止dataservcie对充值订单表的直接改写,只能通过api,不能通过sql
1.1. Order_id的安全取值,注入检测
String order_id = (String) SqlSecuryCheckor.val(m.get("order_id"));
1.2. 判断是否有此订单,否则CantFindRechargeOrderEx
1.3. 如果订单状态有无。throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);
1.4. 判断次订单是否处理过。。if (finished(order_id))
return "already_finish";
必须判断feeFromUrl throw new SecuryEx(" feeFromUrl is null");
作者:: ★(attilax)>>> 绰号:老哇的爪子 ( 全名::Attilax Akbar Al Rapanui 阿提拉克斯 阿克巴 阿尔 拉帕努伊 ) 汉字名:艾龙, EMAIL:1466519819@qq.com
转载请注明来源: http://blog.csdn.net/attilax
1.5.
if(m.get("feeFromUrl")==null)
throw new SecuryEx(" feeFromUrl is null");
1.6. 判断来路money是否与数据库内的相同FeeNotEquEx
if( money_frmDb.compareTo(money_frmUrl)!=0 )
throw new FeeNotEquEx(" froom url total_fee.dbfee:"+m.get("feeFromUrl").toString()+"-"+ ormx.querySingleRow.get("money") );
1.7. 判断订单修改状态,如果不为1 OrderFinishEx
Object r = ormx.exe(m);
if ((Integer) r == 1)
{
String uid=ormx.querySingleRow.get("uid").toString();
BigDecimal money=(BigDecimal) ormx.querySingleRow.get("money");
accSvr.addAmount(uid, money);
return "ok";
}
throw new OrderFinishEx(" order finish ex");
1.8. Codce
package com.attilax.order;
import java.math.BigDecimal;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.xmlbeans.impl.xb.xsdschema.Public;
import aaaCfg.IocX4casher;
import bsh.StringUtil;
import com.attilax.acc.Acc;
import com.attilax.acc.AccService;
//import com.attilax.bet.AmountCalcService;
import com.attilax.data.DataStoreService;
import com.attilax.db.DBX;
import com.attilax.db.DbService;
import com.attilax.function.Function;
import com.attilax.io.filex;
import com.attilax.ioc.IocUtilV2;
import com.attilax.ioc.IocXq214;
import com.attilax.json.AtiJson;
import com.attilax.lang.FunctinImp;
import com.attilax.lang.Global;
import com.attilax.lang.SecuryEx;
import com.attilax.log.LogSvr;
import com.attilax.math.ADecimal;
import com.attilax.orm.AOrm;
import com.attilax.orm.AtiOrm;
import com.attilax.sms.SmsService;
import com.attilax.sql.SqlSecuryCheckor;
//import com.attilax.sql.DbService;
import com.attilax.store.StoreService;
import com.attilax.user.User;
import com.attilax.user.UserService;
import com.attilax.util.DataMapper;
import com.attilax.web.ReqX;
import com.google.common.collect.Maps;
import com.google.inject.ImplementedBy;
import com.google.inject.Inject;
import com.google.inject.name.Named;
import com.attilax.trigger.Trigger_after;
/**
* v3 add refuse and accept com.attilax.order.OrderService4jobus.refuse
*
* com.attilax.order.RechargeOrderService
* @author attilax 2016年4月14日 下午12:36:44
*/
public class RechargeOrderService extends OrderService {
public static void main(String[] args) {
System.out.println("--f");
System.setProperty("apptype", "jobus");
System.setProperty("prj", "jobus");
RechargeOrderService srv = IocUtilV2
.getBean(RechargeOrderService.class);
// System.out.println(srv.refuse("0301_152839_178"));
// System.out.println(srv.accept("0301_152839_178"));
Map m = Maps.newLinkedHashMap();
m.put("$table", "orderv2");
m.put("order_id", "198201");
//
String finishMsg = (String) srv.finish(m);
System.out.println(finishMsg);
System.out.println("--f");
}
@Inject
DataStoreService storeSvr;
@Inject
UserService userSvr;
@Inject
AccService accSvr;
@Inject
AmountCalcService amoutCalcSvr;
@Inject
private LogSvr logSvr;
// @Inject @Named("order_service_dataMaper")
// @ImplementedBy(FunctinImp.class) should ostion in interface java hto..
// public Function dataMaper;
@Inject
public Trigger_after trig_bef;
@Inject
public Trigger_after trig_aft;
public int insert(HttpServletRequest req) {
return insert(ReqX.toMap(req));
}
public int insert(Map order) {
if (userSvr == null)
throw new RuntimeException("#userSvr_is_null");
if (accSvr == null)
throw new RuntimeException("#accSvr_is_null");
if (amoutCalcSvr == null)
throw new RuntimeException("#amoutCalcSvr_is_null");
if (userSvr.isNotLogin()) {
throw new RuntimeException(" not login 没登录,请先登录..#not_login");
}
User u = userSvr.getLoginUser();
Acc a = accSvr.getAcc(u.id);
BigDecimal needMoney = amoutCalcSvr.calc(order);
if (new ADecimal(needMoney).biggerEqualThan(a.amount))
throw new RuntimeException(
" amount not enough 金额不足够 ..#amount_not_enough ");
// /...insert
order.put("$op", "insert");
order.put("order_id", filex.getUUidName());
order.put("order_money", needMoney);
trig_bef.apply(order);
storeSvr.insert(order);
int rzt = accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());
logSvr.log(order);
return rzt;
}
@Inject
AtiOrm ormx;
/**
* for req
attilax 2016年4月20日 下午4:11:03
* @return
*/
public Object finish()
{
HttpServletRequest req=Global.req.get();
return finish(ReqX.toMap(req));
}
public Object finish(Map m) {
// if(StringUtils.isEmpty((String)m.get("$where")) )
// throw new RuntimeException("no $where contion..");
String order_id = (String) SqlSecuryCheckor.val(m.get("order_id"));
if (finished(order_id))
return "already_finish";
//-------check money equ
if(m.get("feeFromUrl")==null)
throw new SecuryEx(" feeFromUrl is null");
BigDecimal money_frmDb=(BigDecimal) ormx.querySingleRow.get("money");
BigDecimal money_frmUrl=new BigDecimal( m.get("feeFromUrl").toString());
if( money_frmDb.compareTo(money_frmUrl)!=0 )
throw new FeeNotEquEx(" froom url total_fee.dbfee:"+m.get("feeFromUrl").toString()+"-"+ ormx.querySingleRow.get("money") );
m.put("stat", 1);
String where = " order_id='$order_id$'".replace("$order_id$",
SqlSecuryCheckor.val(m.get("order_id")));
m.put("$where", where);
m.remove("order_id");
// m.put("stat",1);
ormx.m = m;
ormx.setOp(ormx.update);
ormx.setTable("orderv2");
Object r = ormx.exe(m);
if ((Integer) r == 1)
{
String uid=ormx.querySingleRow.get("uid").toString();
BigDecimal money=(BigDecimal) ormx.querySingleRow.get("money");
accSvr.addAmount(uid, money);
return "ok";
}
throw new OrderFinishEx(" order finish ex");
}
/**
attilax 2016年4月21日 下午9:29:02
* @param string
* @return
*/
private Exception FeeNotEquEx(String string) {
// TODO Auto-generated method stub
return null;
}
private boolean finished(String order_id) {
String s = "select * from orderv2 where order_id='" + order_id + "'";
Map m = ormx.tabletype("sql").querySingleRow(s).querySingleRow;
if (m == null)
throw new CantFindRechargeOrder("order id:" + order_id);
String stat = m.get("stat").toString();
if (stat.equals("1"))
return true;
if (stat.equals("0"))
return false;
throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);
// return m.get("stat").toString().equals("1");
// ormx.tabletype("sql").exist(s).existRzt;
// false;
}
public List<Map> query(Map order) {
if (userSvr.isNotLogin()) {
throw new RuntimeException(" not login 没登录,请先登录..#not_login");
}
User u = userSvr.getLoginUser();
return null;
// /...insert
// return accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());
}
@Deprecated
public String query2json(Map order) {
return AtiJson.toJson(query(order));
// /...insert
// return accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());
}
}