版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/xiao__jia__jia/article/details/82182319
收货地址模块
门户_收货地址接口:
https://gitee.com/imooccode/happymmallwiki/wikis/%E9%97%A8%E6%88%B7_%E6%94%B6%E8%B4%A7%E5%9C%B0%E5%9D%80%E6%8E%A5%E5%8F%A3?sort_id=9916
SpringMVC数据绑定中对象绑定
@RequestMapping("add.do")
@ResponseBody
public ServerResponse add(HttpSession session,Shipping shipping){
User user = (User)session.getAttribute(Const.CURRENT_USER);
if(user ==null){
return ServerResponse.createByErrorCodeMessage(ResponseCode.NEED_LOGIN.getCode(),ResponseCode.NEED_LOGIN.getDesc());
}
return iShippingService.add(user.getId(),shipping);
}
mybatis自动生成主键、配置和使用
<insert id="insert" parameterType="com.mmall.pojo.Shipping" useGeneratedKeys="true" keyProperty="id">
insert into mmall_shipping (id, user_id, receiver_name,
receiver_phone, receiver_mobile, receiver_province,
receiver_city, receiver_district, receiver_address,
receiver_zip, create_time, update_time
)
values (#{id,jdbcType=INTEGER}, #{userId,jdbcType=INTEGER}, #{receiverName,jdbcType=VARCHAR},
#{receiverPhone,jdbcType=VARCHAR}, #{receiverMobile,jdbcType=VARCHAR}, #{receiverProvince,jdbcType=VARCHAR},
#{receiverCity,jdbcType=VARCHAR}, #{receiverDistrict,jdbcType=VARCHAR}, #{receiverAddress,jdbcType=VARCHAR},
#{receiverZip,jdbcType=VARCHAR}, now(), now()
)
</insert>
返回新插入对象的id主键
public ServerResponse add(Integer userId, Shipping shipping){
shipping.setUserId(userId);
int rowCount = shippingMapper.insert(shipping);
if(rowCount > 0){
Map result = Maps.newHashMap();
result.put("shippingId",shipping.getId());
return ServerResponse.createBySuccess("新建地址成功",result);
}
return ServerResponse.createByErrorMessage("新建地址失败");
}
如何避免横向越权漏洞的巩固
因为shippingId 和userId没有绑定在一起,可能会出现横向越权的情况。如果userId通过登录验证,shippingId参数可以自己修改,会删除到别人的shippingId
public ServerResponse<String> del(Integer userId, Integer shippingId) {
int resultCount = shippingMapper.deleteByPrimaryKey(shippingId);
}
<delete id="deleteByPrimaryKey" parameterType="java.lang.Integer" >
delete from mmall_shipping
where id = #{id,jdbcType=INTEGER}
</delete>
得修改为:
<delete id="deleteByShippingIdUserId" parameterType="map">
DELETE FROM mmall_shipping
where id = #{shippingId}
and user_id = #{userId}
</delete>