Tugas Secure Programming

webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java

@@ -75,7 +75,7 @@ public class HammerHead extends HttpServlet {
     /**
      * Description of the Field
      */
-    protected static SimpleDateFormat httpDateFormat;
+    private static SimpleDateFormat httpDateFormat;
 
     /**
      * Set the session timeout to be 2 days

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -724,12 +724,14 @@ public boolean isAuthorized(WebSession s, String role, String functionId) {
         logger.info("Checking if " + role + " authorized for: " + functionId);
         boolean authorized = false;
         try {
-            String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'";
-            try {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                authorized = answer_results.first();
+            String query = "SELECT * FROM auth WHERE role = ? and functionid = ?";
+        	try {
+                PreparedStatement prepared_query = WebSession.getConnection(s)
+        				.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+        		prepared_query.setString(1, role);
+        		prepared_query.setString(2, functionId);
+                ResultSet answer_results = prepared_query.executeQuery();
+        		authorized = answer_results.first();
                 logger.info("authorized: " + authorized);
             } catch (SQLException sqle) {
                 s.setMessage("Error authorizing");

webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java

@@ -50,7 +50,7 @@ public abstract class Screen {
     /**
      * Description of the Field
      */
-    public static int MAIN_SIZE = 375;
+    public static final int MAIN_SIZE = 375;
 
     // private Head head;
     private Element content;

webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java

@@ -18,7 +18,7 @@ class UserDatabase {
 
     private final String QUERY_ALL_USERS = "SELECT username FROM users;";
     private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;";
-    private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;";
+    private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM ?;";
 
     private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);";
     private final String DELETE_USER = "DELETE FROM users WHERE username = ?;";
@@ -86,13 +86,14 @@ public int getTableCount(String tableName) {
         int count = 0;
         try {
             open();
-            Statement statement = userDB.createStatement();
-            ResultSet countResult = statement.executeQuery(QUERY_TABLE_COUNT.replace("table", tableName));
+            PreparedStatement prepared_tableName = userDB.prepareStatement(QUERY_TABLE_COUNT);
+            prepared_tableName.setString(1, tableName);
+            ResultSet countResult = prepared_tableName.executeQuery();
             if (countResult.next()) {
                 count = countResult.getInt("count");
             }
             countResult.close();
-            statement.close();
+            prepared_tableName.close();
             close();
         } catch (SQLException e) {
             e.printStackTrace();