• Atitit.提升电子商务安全性 在线充值功能安全方面的设计


    Atitit.提升电子商务安全性 在线充值功能安全方面的设计

     

    1. 防止dataservcie对充值订单表的直接改写,只能通过api,不能通过sql1

    1.1. Order_id的安全取值,注入检测1

    1.2. 判断是否有此订单,否则CantFindRechargeOrderEx1

    1.3. 如果订单状态有无。throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);1

    1.4. 判断次订单是否处理过。。if (finished(order_id))1

    1.5. 2

    1.6. 判断来路money是否与数据库内的相同FeeNotEquEx2

    1.7. 判断订单修改状态,如果不为1 OrderFinishEx2

    1.8. Codce2

     

    1. 防止dataservcie对充值订单表的直接改写,只能通过api,不能通过sql

    1.1. Order_id的安全取值,注入检测

    String order_id = (String) SqlSecuryCheckor.val(m.get("order_id"));

     

    1.2. 判断是否有此订单,否则CantFindRechargeOrderEx

    1.3. 如果订单状态有无。throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);

     

    1.4. 判断次订单是否处理过。。if (finished(order_id))

    return "already_finish";

     

    必须判断feeFromUrl  throw new SecuryEx(" feeFromUrl is null");

     

    作者::  ★(attilax)>>>   绰号:老哇的爪子  全名::Attilax Akbar Al Rapanui 阿提拉克斯 阿克巴 阿尔 拉帕努伊  汉字名:艾龙,  EMAIL:1466519819@qq.com

    转载请注明来源: http://blog.csdn.net/attilax

     

    1.5.  

    if(m.get("feeFromUrl")==null)

    throw new SecuryEx(" feeFromUrl is null");

     

    1.6. 判断来路money是否与数据库内的相同FeeNotEquEx

    if( money_frmDb.compareTo(money_frmUrl)!=0 )

    throw new FeeNotEquEx(" froom url total_fee.dbfee:"+m.get("feeFromUrl").toString()+"-"+  ormx.querySingleRow.get("money") );

     

    1.7. 判断订单修改状态,如果不为1 OrderFinishEx

    Object r = ormx.exe(m);

    if ((Integer) r == 1)

    {

    String uid=ormx.querySingleRow.get("uid").toString();

    BigDecimal money=(BigDecimal) ormx.querySingleRow.get("money");

    accSvr.addAmount(uid, money);

    return "ok";

    }

    throw new OrderFinishEx(" order finish ex");

     

     

    1.8. Codce

     

     

    package com.attilax.order;

     

    import java.math.BigDecimal;

    import java.util.Date;

    import java.util.HashMap;

    import java.util.List;

    import java.util.Map;

     

    import javax.servlet.http.HttpServletRequest;

     

    import org.apache.commons.lang3.StringUtils;

    import org.apache.xmlbeans.impl.xb.xsdschema.Public;

     

    import aaaCfg.IocX4casher;

    import bsh.StringUtil;

     

    import com.attilax.acc.Acc;

    import com.attilax.acc.AccService;

    //import com.attilax.bet.AmountCalcService;

    import com.attilax.data.DataStoreService;

    import com.attilax.db.DBX;

    import com.attilax.db.DbService;

    import com.attilax.function.Function;

    import com.attilax.io.filex;

    import com.attilax.ioc.IocUtilV2;

    import com.attilax.ioc.IocXq214;

    import com.attilax.json.AtiJson;

    import com.attilax.lang.FunctinImp;

    import com.attilax.lang.Global;

    import com.attilax.lang.SecuryEx;

    import com.attilax.log.LogSvr;

    import com.attilax.math.ADecimal;

    import com.attilax.orm.AOrm;

    import com.attilax.orm.AtiOrm;

    import com.attilax.sms.SmsService;

    import com.attilax.sql.SqlSecuryCheckor;

    //import com.attilax.sql.DbService;

    import com.attilax.store.StoreService;

    import com.attilax.user.User;

    import com.attilax.user.UserService;

    import com.attilax.util.DataMapper;

    import com.attilax.web.ReqX;

    import com.google.common.collect.Maps;

    import com.google.inject.ImplementedBy;

    import com.google.inject.Inject;

    import com.google.inject.name.Named;

    import com.attilax.trigger.Trigger_after;

     

    /**

     * v3 add refuse and accept com.attilax.order.OrderService4jobus.refuse

     *

     * com.attilax.order.RechargeOrderService

     * @author attilax 2016年4月14日 下午12:36:44

     */

    public class RechargeOrderService extends OrderService {

     

    public static void main(String[] args) {

    System.out.println("--f");

    System.setProperty("apptype", "jobus");

    System.setProperty("prj", "jobus");

    RechargeOrderService srv = IocUtilV2

    .getBean(RechargeOrderService.class);

     

    // System.out.println(srv.refuse("0301_152839_178"));

    // System.out.println(srv.accept("0301_152839_178"));

     

    Map m = Maps.newLinkedHashMap();

    m.put("$table", "orderv2");

    m.put("order_id", "198201");

    //

    String finishMsg = (String) srv.finish(m);

    System.out.println(finishMsg);

     

    System.out.println("--f");

     

    }

     

    @Inject

    DataStoreService storeSvr;

     

    @Inject

    UserService userSvr;

    @Inject

    AccService accSvr;

    @Inject

    AmountCalcService amoutCalcSvr;

    @Inject

    private LogSvr logSvr;

     

    // @Inject @Named("order_service_dataMaper")

    // @ImplementedBy(FunctinImp.class) should ostion in interface java hto..

    // public Function dataMaper;

    @Inject

    public Trigger_after trig_bef;

    @Inject

    public Trigger_after trig_aft;

     

    public int insert(HttpServletRequest req) {

    return insert(ReqX.toMap(req));

    }

     

    public int insert(Map order) {

    if (userSvr == null)

    throw new RuntimeException("#userSvr_is_null");

    if (accSvr == null)

    throw new RuntimeException("#accSvr_is_null");

    if (amoutCalcSvr == null)

    throw new RuntimeException("#amoutCalcSvr_is_null");

     

    if (userSvr.isNotLogin()) {

    throw new RuntimeException(" not login 没登录,请先登录..#not_login");

    }

     

    User u = userSvr.getLoginUser();

    Acc a = accSvr.getAcc(u.id);

     

    BigDecimal needMoney = amoutCalcSvr.calc(order);

     

    if (new ADecimal(needMoney).biggerEqualThan(a.amount))

    throw new RuntimeException(

    "  amount not enough 金额不足够 ..#amount_not_enough ");

     

    // /...insert

    order.put("$op", "insert");

    order.put("order_id", filex.getUUidName());

    order.put("order_money", needMoney);

    trig_bef.apply(order);

     

    storeSvr.insert(order);

     

    int rzt = accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());

    logSvr.log(order);

    return rzt;

     

    }

     

    @Inject

    AtiOrm ormx;

     

    /**

     * for req

    attilax    2016年4月20日  下午4:11:03

     * @return

     */

    public Object finish() 

    {

    HttpServletRequest req=Global.req.get();

    return finish(ReqX.toMap(req));

    }

    public Object finish(Map m) {

    // if(StringUtils.isEmpty((String)m.get("$where")) )

    // throw new RuntimeException("no $where contion..");

    String order_id = (String) SqlSecuryCheckor.val(m.get("order_id"));

    if (finished(order_id))

    return "already_finish";

    //-------check money equ

    if(m.get("feeFromUrl")==null)

    throw new SecuryEx(" feeFromUrl is null");

    BigDecimal money_frmDb=(BigDecimal) ormx.querySingleRow.get("money");

    BigDecimal money_frmUrl=new BigDecimal( m.get("feeFromUrl").toString());

    if( money_frmDb.compareTo(money_frmUrl)!=0 )

    throw new FeeNotEquEx(" froom url total_fee.dbfee:"+m.get("feeFromUrl").toString()+"-"+  ormx.querySingleRow.get("money") );

    m.put("stat", 1);

     

    String where = " order_id='$order_id$'".replace("$order_id$",

    SqlSecuryCheckor.val(m.get("order_id")));

    m.put("$where", where);

    m.remove("order_id");

    // m.put("stat",1);

    ormx.m = m;

    ormx.setOp(ormx.update);

    ormx.setTable("orderv2");

     

    Object r = ormx.exe(m);

    if ((Integer) r == 1)

    {

    String uid=ormx.querySingleRow.get("uid").toString();

    BigDecimal money=(BigDecimal) ormx.querySingleRow.get("money");

    accSvr.addAmount(uid, money);

    return "ok";

    }

    throw new OrderFinishEx(" order finish ex");

     

    }

     

    /**

    attilax    2016年4月21日  下午9:29:02

     * @param string

     * @return

     */

    private Exception FeeNotEquEx(String string) {

    // TODO Auto-generated method stub

    return null;

    }

     

    private boolean finished(String order_id) {

    String s = "select * from orderv2 where order_id='" + order_id + "'";

    Map m = ormx.tabletype("sql").querySingleRow(s).querySingleRow;

    if (m == null)

    throw new CantFindRechargeOrder("order id:" + order_id);

    String stat = m.get("stat").toString();

    if (stat.equals("1"))

    return true;

    if (stat.equals("0"))

    return false;

    throw new RechargeOrderStatErr(" order.stat:" + order_id + "." + stat);

    // return m.get("stat").toString().equals("1");

    // ormx.tabletype("sql").exist(s).existRzt;

    // false;

    }

     

    public List<Map> query(Map order) {

     

    if (userSvr.isNotLogin()) {

    throw new RuntimeException(" not login 没登录,请先登录..#not_login");

    }

    User u = userSvr.getLoginUser();

     

    return null;

     

    // /...insert

    // return accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());

     

    }

     

    @Deprecated

    public String query2json(Map order) {

     

    return AtiJson.toJson(query(order));

     

    // /...insert

    // return accSvr.reduceAmount(u.id.toString(), needMoney.doubleValue());

     

    }

     

    }

     

  • 相关阅读:
    Web开发中需要了解的东西
    Javascript:谈谈JS的全局变量跟局部变量
    多角度看.NET面试题
    java http大文件断点续传上传方法
    java http大文件断点续传上传问题
    java http大文件断点续传上传功能
    java http大文件断点续传上传解决方案
    java http大文件断点续传上传实例
    java http大文件断点续传上传示例
    java http大文件断点续传上传源代码
  • 原文地址:https://www.cnblogs.com/attilax/p/15198589.html
Copyright © 2020-2023  润新知