diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java index 70522a37fe..9b3e3ff109 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java @@ -75,7 +75,7 @@ public class HammerHead extends HttpServlet { /** * Description of the Field */ - protected static SimpleDateFormat httpDateFormat; + private static SimpleDateFormat httpDateFormat; /** * Set the session timeout to be 2 days diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java index 391edbeab7..298cc97ebc 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -27,6 +27,7 @@ import java.io.StringReader; import java.net.HttpURLConnection; import java.net.URL; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -724,11 +725,13 @@ public boolean isAuthorized(WebSession s, String role, String functionId) { logger.info("Checking if " + role + " authorized for: " + functionId); boolean authorized = false; try { - String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'"; + String query = "SELECT * FROM auth WHERE role = ? and functionid = ?"; try { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); + PreparedStatement prepared_statement = WebSession.getConnection(s) + .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + prepared_statement.setString(1, role); + prepared_statement.setString(2, functionId); + ResultSet answer_results = prepared_statement.executeQuery(); authorized = answer_results.first(); logger.info("authorized: " + authorized); } catch (SQLException sqle) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 0d6ceef2f1..e4d2b01e4a 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -2,6 +2,7 @@ package org.owasp.webgoat.session; import java.sql.Connection; +import java.sql.PreparedStatement; import java.sql.SQLException; import java.sql.Statement; import org.owasp.webgoat.lessons.AbstractLesson; @@ -956,12 +957,12 @@ private void createOwnershipTable(Connection connection) throws SQLException private void createTransactionTable(Connection connection) throws SQLException { - Statement statement = connection.createStatement(); try { String dropTable = "DROP TABLE transactions"; - statement.executeUpdate(dropTable); + PreparedStatement prepared_statement = connection.prepareStatement(dropTable); + prepared_statement.execute(); } catch (SQLException e) { System.out.println("Info - Could not drop transactions table"); @@ -974,7 +975,8 @@ private void createTransactionTable(Connection connection) throws SQLException + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; - statement.executeUpdate(createTable); + PreparedStatement prepared_statement = connection.prepareStatement(createTable); + prepared_statement.execute(); } catch (SQLException e) { System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); @@ -995,7 +997,9 @@ private void createTransactionTable(Connection connection) throws SQLException { for (int i = 0; i < data.length; i++) { - statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); + PreparedStatement prepared_statement = connection.prepareStatement("INSERT INTO Transactions VALUES (?);"); + prepared_statement.setString(1, data[i]); + prepared_statement.execute(); } } catch (SQLException sqle) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java index 79b56858c0..95ef2c229b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java @@ -9,6 +9,8 @@ import java.sql.SQLException; import java.util.HashMap; import java.util.Map; +import java.util.Properties; + import org.apache.ecs.MultiPartElement; import org.apache.ecs.html.B; import org.apache.ecs.html.TD; @@ -131,7 +133,10 @@ private static Connection getHsqldbConnection(String user, WebgoatContext contex SQLException { String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); - return DriverManager.getConnection(url, "sa", ""); + Properties props = new Properties(); + props.setProperty("user","sa"); + props.setProperty("password",""); + return DriverManager.getConnection(url, props); } /** diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java index 40bc3a6d18..7e508e6e41 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java @@ -50,7 +50,7 @@ public abstract class Screen { /** * Description of the Field */ - public static int MAIN_SIZE = 375; + public static final int MAIN_SIZE = 375; // private Head head; private Element content; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java index 25867223ca..7105104224 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java @@ -3,6 +3,7 @@ import java.sql.*; import java.util.ArrayList; import java.util.Iterator; +import java.util.Properties; import java.io.File; class UserDatabase { @@ -18,7 +19,7 @@ class UserDatabase { private final String QUERY_ALL_USERS = "SELECT username FROM users;"; private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;"; - private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;"; + private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM ?;"; private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);"; private final String DELETE_USER = "DELETE FROM users WHERE username = ?;"; @@ -48,7 +49,10 @@ public boolean open() { try { if (userDB == null || userDB.isClosed()) { Class.forName("org.h2.Driver"); - userDB = DriverManager.getConnection(USER_DB_URI, "webgoat_admin", ""); + Properties props = new Properties(); + props.setProperty("user","webgoat_admin"); + props.setProperty("password",""); + userDB = DriverManager.getConnection(USER_DB_URI, props); } } catch (SQLException e) { e.printStackTrace(); @@ -86,13 +90,14 @@ public int getTableCount(String tableName) { int count = 0; try { open(); - Statement statement = userDB.createStatement(); - ResultSet countResult = statement.executeQuery(QUERY_TABLE_COUNT.replace("table", tableName)); + PreparedStatement prepared_statement = userDB.prepareStatement(QUERY_TABLE_COUNT); + prepared_statement.setString(1, tableName); + ResultSet countResult = prepared_statement.executeQuery(); if (countResult.next()) { count = countResult.getInt("count"); } countResult.close(); - statement.close(); + prepared_statement.close(); close(); } catch (SQLException e) { e.printStackTrace();