diff --git a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java b/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java index 51df35ed..3a516a46 100644 --- a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ b/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -36,15 +36,21 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE */ - String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")"; - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")"; +sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, username); +sqlStatement2.setString(2, event); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { // TODO Auto-generated catch block diff --git a/src/main/java/com/veracode/verademo/commands/ListenCommand.java b/src/main/java/com/veracode/verademo/commands/ListenCommand.java index e80a48b4..953bf5cd 100644 --- a/src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ b/src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -36,15 +36,21 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE -----*/ - String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")"; - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")"; +sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, username); +sqlStatement2.setString(2, event); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { // TODO Auto-generated catch block diff --git a/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java b/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java index c2211f46..b3379a2c 100644 --- a/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ b/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -36,19 +36,29 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE ------*/ - String event = "Removed account for blabber " + result.getString(1); - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = "Removed account for blabber " + result.getString(1); + sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; + logger.info(sqlQuery); + PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); + sqlStatement2.setString(1, blabberUsername); + sqlStatement2.setString(2, event); + sqlStatement2.execute(); sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +sqlQuery = "DELETE FROM users WHERE username = ?"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { diff --git a/src/main/java/com/veracode/verademo/controller/BlabController.java b/src/main/java/com/veracode/verademo/controller/BlabController.java index 24012a8f..5f390581 100644 --- a/src/main/java/com/veracode/verademo/controller/BlabController.java +++ b/src/main/java/com/veracode/verademo/controller/BlabController.java @@ -467,27 +467,22 @@ public String showBlabbers( logger.info("User is Logged In - continuing..."); Connection connect = null; - PreparedStatement blabberQuery = null; - - /* START BAD CODE */ - String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at," - + " SUM(if(listeners.listener=?, 1, 0)) as listeners," - + " SUM(if(listeners.status='Active',1,0)) as listening" - + " FROM users LEFT JOIN listeners ON users.username = listeners.blabber" - + " WHERE users.username NOT IN (\"admin\",?)" + " GROUP BY users.username" + " ORDER BY " + sort + ";"; - - try { - logger.info("Getting Database connection"); - // Get the Database Connection - Class.forName("com.mysql.jdbc.Driver"); - connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - // Find the Blabbers - logger.info(blabbersSql); - blabberQuery = connect.prepareStatement(blabbersSql); - blabberQuery.setString(1, username); - blabberQuery.setString(2, username); - ResultSet blabbersResults = blabberQuery.executeQuery(); +PreparedStatement blabberQuery = null; +String blabbersSql = "SELECT users.username, " + " users.blab_name, " + " users.created_at, " ++ " SUM(if(listeners.listener=?, 1, 0)) as listeners, " ++ " SUM(if(listeners.status='Active', 1, 0)) as listening" ++ " FROM users LEFT JOIN listeners ON users.username = listeners.blabber" ++ " WHERE users.username NOT IN (\"admin\", ?)" + " GROUP BY users.username" + " ORDER BY ?;"; +try { + logger.info("Getting Database connection"); + Class.forName("com.mysql.jdbc.Driver"); + connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + logger.info(blabbersSql); + blabberQuery = connect.prepareStatement(blabbersSql); + blabberQuery.setString(1, username); + blabberQuery.setString(2, username); + blabberQuery.setString(3, sort); + ResultSet blabbersResults = blabberQuery.executeQuery(); /* END BAD CODE */ List blabbers = new ArrayList(); diff --git a/src/main/java/com/veracode/verademo/controller/UserController.java b/src/main/java/com/veracode/verademo/controller/UserController.java index 11844bc4..725ac216 100644 --- a/src/main/java/com/veracode/verademo/controller/UserController.java +++ b/src/main/java/com/veracode/verademo/controller/UserController.java @@ -149,22 +149,18 @@ public String processLogin( } Connection connect = null; - Statement sqlStatement = null; - - try { - // Get the Database Connection - logger.info("Creating the Database connection"); - Class.forName("com.mysql.jdbc.Driver"); - connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - /* START BAD CODE */ - // Execute the query - logger.info("Creating the Statement"); - String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='" - + username + "' and password='" + md5(password) + "';"; - sqlStatement = connect.createStatement(); - logger.info("Execute the Statement"); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +PreparedStatement sqlStatement = null; +try { + logger.info("Creating the Database connection"); + Class.forName("com.mysql.jdbc.Driver"); + connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + logger.info("Creating the Statement"); + String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username=? and password=?"; + sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, username); + sqlStatement.setString(2, md5(password)); + logger.info("Execute the Statement"); + ResultSet result = sqlStatement.executeQuery(); /* END BAD CODE */ // Did we find exactly 1 user that matched? @@ -235,21 +231,18 @@ public String processLogin( @ResponseBody public String showPasswordHint(String username) { - logger.info("Entering password-hint with username: " + username); - - if (username == null || username.isEmpty()) { - return "No username provided, please type in your username first"; - } - - try { - Class.forName("com.mysql.jdbc.Driver"); - - Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; - logger.info(sql); - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); +logger.info("Entering password-hint with username: " + username); + if (username == null || username.isEmpty()) { + return "No username provided, please type in your username first"; + } + try { + Class.forName("com.mysql.jdbc.Driver"); + Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + String sql = "SELECT password_hint FROM users WHERE username = ?"; + logger.info(sql); + PreparedStatement statement = connect.prepareStatement(sql); + statement.setString(1, username); + ResultSet result = statement.executeQuery(); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s"; @@ -313,8 +306,9 @@ public String processRegister( Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); String sql = "SELECT username FROM users WHERE username = '" + username + "'"; - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); +PreparedStatement statement = connect.prepareStatement("SELECT username FROM users WHERE username = ?"); +statement.setString(1, username); +ResultSet result = statement.executeQuery(); if (result.first()) { model.addAttribute("error", "Username '" + username + "' already exists!"); return "register"; @@ -360,29 +354,22 @@ public String processRegisterFinish( } Connection connect = null; - Statement sqlStatement = null; - - try { - // Get the Database Connection - logger.info("Creating the Database connection"); - Class.forName("com.mysql.jdbc.Driver"); - connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - /* START BAD CODE */ - // Execute the query - String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")) - .format(Calendar.getInstance().getTime()); - StringBuilder query = new StringBuilder(); - query.append("insert into users (username, password, created_at, real_name, blab_name) values("); - query.append("'" + username + "',"); - query.append("'" + password + "',"); - query.append("'" + mysqlCurrentDateTime + "',"); - query.append("'" + realName + "',"); - query.append("'" + blabName + "'"); - query.append(");"); - - sqlStatement = connect.createStatement(); - sqlStatement.execute(query.toString()); +PreparedStatement sqlStatement = null; +try { + logger.info("Creating the Database connection"); + Class.forName("com.mysql.jdbc.Driver"); + connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")) + .format(Calendar.getInstance().getTime()); + String query = "insert into users (username, password, created_at, real_name, blab_name) values(?, ?, ?, ?, ?)"; + sqlStatement = connect.prepareStatement(query); + sqlStatement.setString(1, username); + sqlStatement.setString(2, password); + sqlStatement.setString(3, mysqlCurrentDateTime); + sqlStatement.setString(4, realName); + sqlStatement.setString(5, blabName); + sqlStatement.execute(); + logger.info(query); logger.info(query.toString()); /* END BAD CODE */ @@ -492,8 +479,9 @@ public String showProfile( String sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; "; logger.info(sqlMyEvents); - Statement sqlStatement = connect.createStatement(); - ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); +PreparedStatement sqlStatement = connect.prepareStatement("select event from users_history where blabber=? ORDER BY eventid DESC"); +sqlStatement.setString(1, username); +ResultSet userHistoryResult = sqlStatement.executeQuery(); /* END BAD CODE */ while (userHistoryResult.next()) { @@ -501,10 +489,11 @@ public String showProfile( } // Get the users information - String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'"; - logger.info(sql); - myInfo = connect.prepareStatement(sql); - ResultSet myInfoResults = myInfo.executeQuery(); +String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?"; +logger.info(sql); +myInfo = connect.prepareStatement(sql); +myInfo.setString(1, username); +ResultSet myInfoResults = myInfo.executeQuery(); myInfoResults.next(); // Send these values to our View