Teach you how to play interview (Web knowledge)

Forward means that the server requests resources. The server directly accesses the URL of the target address, reads the response content of that URL, and then sends the content to the browser. The browser does not know where the content sent by the server comes from, so it The address bar is still the original address. The
redirect is that the server sends a status code according to the logic, telling the browser to re-request that address. So the address bar displays the new URL.

(2) Data sharing: the former is shared, while the latter cannot be shared

forward: The forwarded page and the forwarded page can share the data in the request.
redirect: The data cannot be shared.

(3) The way it happens: the former happens on the server side, while the latter happens on the client side

(4) Application scenarios: forward: generally used when the user logs in, forward to the corresponding module according to the role.
redirect: generally used for returning to the main page and jumping to other websites when the user logs out and logs in.

(5) Efficiency: the former has high efficiency, while the latter has low efficiency

Note: redirect defaults to 302 code, including two requests and two responses

3: Difference between Http return code 301 and 302?

Answer: Common point: all the status codes returned by redirection

The difference: 301 represents a permanent transfer; while 302 is a temporary transfer, and URL hijacking will occur; try to use 301 instead of 302

4: What is the difference between PreparedStatement and Statement?

Answer: (1) preparedStatement is an inherited Statement interface, both of which are interfaces;

(2) PreparedStatement can be precompiled through placeholders, but Statement cannot, and needs to be reprocessed every time it executes an SQL statement;

(3) preparedStatement is more secure because it can prevent SQL injection

(4) preparedStatement has faster execution efficiency for repeatedly executed code, and is better than Statement for batch processing efficiency

(5) PreparedStatement code is more maintainable and readable

A little extra knowledge: CallableStatement, which is a subclass of PreparedStatement, is mainly used to call the stored procedure of the database;

5: What is the difference between static Include and dynamic Include in JSP?

Answer: (1) Dynamic include is through <jsp:include page = "hello.jsp">, and static include is through <%@ include file="hello.html"%>

(2) Dynamic can contain the same variable, while static can not contain the same variable

(3) Dynamic is to first compile each jsp separately, and then include it together when using it, which is to compile first and then include; while static is to include together first, and then compile together, which is to include first, then include compile

(4) If the included pages are frequently updated, dynamic inclusion should be used, because static inclusion may not be updated in time;

(5) Static include is implemented by pseudocode, which does not check file changes, and is suitable for static pages;

6: What are the built-in objects of JSP? What are the functions?

A: There are 9 in total.

(1) The request object of the HttpServletRequest class: represents the request object, which is mainly used to accept the data transmitted from the client to the server through the HTTP protocol link

(2) The response object of the HttpServletResponse class: represents the response object, which is mainly used to send data to the client

(3) The out object of the JspWriter class: mainly used to output data to the client, the base class of the Out class is JspWriter

(4) Session object of HttpSession class: mainly used to save each user information and session state respectively

(5) The application object of the ServletContext class: it is mainly used to save public data in all application systems. It is a shared built-in object, that is, multiple users in a container share an application to read and write. As long as the server is not closed, the application object There has been

(6) The PageContext object of the PageContext class: manages the properties of the web page and represents the context of the page. The creation and initialization of the PageContext object is done automatically by the container.

(7) The Config object of the ServletConfig class: the code fragment configuration object, which is used to initialize the configuration parameters of the Servlet.

(8) The Page object of the Object class: represents the currently running JSP page, that is, the page object represents the JSP compiled Servlet. The page object can only be used within the current JSP template.

(9) exception object: It handles errors and exceptions that occur when the JSP file is executed, and can only be used in the error page;

7: Basic action instructions and functions in JSP?

Answer: (1) jsp: include: Introduce a file when the page is requested

(2) jsp: useBean: Find or instantiate a JavaBean

(3) jsp:setProperty: Set the properties of JavaBean

(4) jsp: getProperty: Output the properties of a JavaBean

(5) jsp:forward: transfer the request to a new page

(6) jsp:plugin: Generate object or embed tags for java plugins according to browser type

8: What are the transaction propagation features and isolation levels of Spring?

Answer: The transaction propagation characteristics are mainly divided into 7 categories:

PROPAGATION_REQUIRED -- support the current transaction, if there is no current transaction, create a new transaction. This is the most common choice.
PROPAGATION_SUPPORTS -- support current transaction, if there is no current transaction, execute in non-transactional mode.
PROPAGATION_MANDATORY -- support the current transaction, throw an exception if there is no current transaction.
PROPAGATION_REQUIRES_NEW -- Create a new transaction. If there is a current transaction, suspend the current transaction.
PROPAGATION_NOT_SUPPORTED -- Execute the operation in a non-transactional manner, suspending the current transaction if there is one.
PROPAGATION_NEVER -- Execute non-transactionally, throw an exception if there is currently a transaction.
PROPAGATION_NESTED -- Execute inside a nested transaction if a transaction currently exists. If there are no current transactions, do something similar to PROPAGATION_REQUIRED.

Isolation levels are mainly divided into 4 categories:

1. Unauthorized read (Read Uncommitted): Also known as uncommitted read. Dirty reads are allowed but update loss is not allowed. If one transaction has already started to write data, another data is not allowed to write at the same time, but other transactions are allowed to read this row of data. This isolation level can be achieved through "exclusive write locks". The lowest level of transaction isolation, only guaranteed not to read physically corrupted data. In contrast to the READ COMMITTED isolation level, it allows reading of data that has been modified by other users but has not yet been committed.
2. Authorized read (Read Committed): also known as committed read. Non-repeatable reads are allowed but dirty reads are not allowed. This can be achieved through "instantaneous shared read locks" and "exclusive write locks". Transactions that read data allow other transactions to continue to access the row of data, but uncommitted write transactions will prevent other transactions from accessing the row. SQL Server default level. Under this isolation level, the SELECT command will not return uncommitted data, nor can it return dirty data.
3. Repeatable Read: Non-repeatable and dirty reads are prohibited. But sometimes phantom data can occur, which can be achieved through "shared read locks" and "exclusive write locks", where a read data transaction will prohibit a write transaction (but a read transaction is allowed), and a write transaction will prohibit any other transaction. Under this isolation level, the data read with the SELECT command will not be changed throughout the execution of the command. This option will affect the performance of the system, it is best not to use this isolation level if it is not necessary.
4. Serial (Serializable): Also known as serializable read. Provides strict transaction isolation, which requires serialization of transactions, and transactions can only be executed one after the other, but not concurrently. If transaction serialization cannot be achieved only through "row-level locks", other mechanisms must be used to ensure that newly inserted data will not be accessed by the transaction that just executed the query operation. The highest level of transaction isolation, complete isolation between transactions. Any concurrent overlapping transactions are guaranteed to be serial if the transaction runs at the serializable read isolation level.

Tips:

(1) About dirty reads, non-repeatable reads, and phantom reads that appear in the operational database

Dirty read: Dirty read refers to when a transaction is accessing data and modifying the data, but the modification has not been submitted to the database. At this time, another transaction also accesses the data and then uses the data.
Non-repeatable read: refers to reading the same data multiple times within a transaction. While this transaction is not over, another transaction also accesses the same data. Then, between the two reads of data in the first transaction, due to the modification of the second transaction, the data read twice by the first transaction may be different. In this way, the data read twice in a transaction is different, so it is called non-repeatable read.

Phantom read: refers to a phenomenon that occurs when transactions are not executed independently. For example, the first transaction modifies data in a table, and this modification involves all data rows in the table. At the same time, the second transaction also modifies the data in this table by inserting a new row of data into the table. Then, it will happen later that the user who operates the first transaction finds that there are no modified data rows in the table, as if a hallucination occurred.

The point of non-repeatable read is to modify: the same condition, the data you have read, read it again and find that the value is different.
The point of phantom read is to add or delete: the same condition, the first and second read The number of records coming out is different

(2) Q: After Mysql5.6 (Innodb), how does the database itself solve the phantom reading problem?

Answer: First of all, the default isolation level of the Innodb engine is repeatable read, so it can solve the problem of dirty read and non-repeatable read, but it cannot solve the problem of phantom read. However, it itself provides a A mechanism to solve this phantom reading problem is to use the NextKey lock method, which is actually a lock mechanism; the specific process is as follows:

9: What fields do the headers of request and response in Http contain?

Answer: https://blog.csdn.net/selinda001/article/details/79338766

10: What are some optimization methods for high concurrency processing of JavaWeb?

Answer: High concurrency can be divided into user volume concurrency and data concurrency

The solution to the concurrency of users can be considered from the following aspects:

(1) Web page static (pure HTML): mainly to improve response speed and improve security and stability (because it is not easy to be attacked);

(2) Image server separation: mainly to reduce the pressure on the server. For example, lazyload.js in jQuery can realize such a lazy loading method.

(3) Ajax request: mainly does not require the page to be refreshed to obtain

(4) Load balancing of the server: mainly to reduce the pressure on the server, which can be done through Nginx reverse proxy;

(5) Database cluster: mainly to reduce the pressure on the database, here mainly through the master/slave (master-slave) database;

(6) Use the cache server to cache data: mainly for caching frequently queried content, here mainly through redis;

For data concurrency, the following aspects can be considered:

(1) The synchronize mechanism is adopted for the method

(2) Transaction isolation level through spring: mainly use four

(3) Through the locking mechanism of the database: table lock and row lock

(4) Through pessimistic locking and optimistic locking

11: Knowledge points about web security

Answer: (1) SQL injection: It mainly occurs in the user name and password scenario of logging in to the system, and the problem is caused by the use of SQL splicing. Therefore, the SQL can be processed by preprocessing commands;

(2) Password security: mainly if the password storage is in the form of plain text, then when the data is leaked, it is easy to steal the user password, so it can be encrypted by MD5, or SHA and salt value encryption;

(3) Cookie security: mainly by judging whether there is a cookie value of the corresponding system locally, so as to modify it to achieve the purpose of logging in directly to the system. Therefore, the cookie value can be encrypted for security and then saved;

(4) XSS (cross-site scripting attack): mainly because the script content is written, the scripting language is parsed when the page is parsed, which usually occurs in the function of the comment area. Therefore, illegal characters can be filtered out by characters or Escape characters to prevent;

(4) CSRF (Cross Site Request Forgery): The attack can forge requests in the victim's name and send it to the attacked site without the victim's knowledge, so as to perform operations under permission protection without authorization ; For example, a user visits a transfer webpage (submitted via get), and then visits an illegal link (and this link happens to point to the transfer webpage, then another transfer will occur after clicking, but the victim user does not Know), so, in response to this situation, you can take the HTTP referer field (in the http request header, there is a referer field used to determine the link source address of the web page), add token verification to the request,

You can refer to the CSRF attack content of this article: https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/

(5) SYN attack: mainly because tcp is a full connection method, and SYN is to send a large number of semi-connection requests, consuming CPU and system resources, and causing the server to crash; therefore, the verification code can be used to carry out prevention;

You can refer to this article: https://blog.csdn.net/willie_chen/article/details/50381173

12: Please talk about the basic operation process of JDBC

answer:

1) Load (register) the database driver (to the JVM). -------Class.forname("com.mysql.jdbc.Driver");
2) Establish (obtain) database connection. ---------Connection con=DriverManager.getConnection(url, username, password);
3) Create (get) database operation objects. ------------Statement st = con.createStatement();
4) Define the SQL statement for the operation. -------------String sql = "select * from student";
5) Perform database operations. ---------------ResultSet rst = st.executeQuery(sql);
6) Get and operate the result set. ---------while (rst.next){operate}
7) Close the object and recycle database resources (close the result set --> close the database operation object --> close the connection). ----rst.close(); st.close();con.close();

13：