Veracode Batch Fix

src/main/java/com/veracode/verademo/commands/IgnoreCommand.java

@@ -36,15 +36,21 @@
 
 			sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
 			Statement sqlStatement = connect.createStatement();
-			logger.info(sqlQuery);
-			ResultSet result = sqlStatement.executeQuery(sqlQuery);
+sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+logger.info(sqlQuery);
+sqlStatement2.setString(1, blabberUsername);
+ResultSet result = sqlStatement2.executeQuery();
 			result.next();
 
 			/* START BAD CODE */
-			String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
-			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
-			logger.info(sqlQuery);
-			sqlStatement.execute(sqlQuery);
+String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
+sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
+logger.info(sqlQuery);
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+sqlStatement2.setString(1, username);
+sqlStatement2.setString(2, event);
+sqlStatement2.execute();
 			/* END BAD CODE */
 		} catch (SQLException e) {
 			// TODO Auto-generated catch block

src/main/java/com/veracode/verademo/commands/ListenCommand.java

@@ -36,15 +36,21 @@
 
 			sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
 			Statement sqlStatement = connect.createStatement();
-			logger.info(sqlQuery);
-			ResultSet result = sqlStatement.executeQuery(sqlQuery);
+sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+logger.info(sqlQuery);
+sqlStatement2.setString(1, blabberUsername);
+ResultSet result = sqlStatement2.executeQuery();
 			result.next();
 
 			/* START BAD CODE -----*/
-			String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
-			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
-			logger.info(sqlQuery);
-			sqlStatement.execute(sqlQuery);
+String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
+sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
+logger.info(sqlQuery);
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+sqlStatement2.setString(1, username);
+sqlStatement2.setString(2, event);
+sqlStatement2.execute();
 			/* END BAD CODE */
 		} catch (SQLException e) {
 			// TODO Auto-generated catch block

src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java

@@ -36,19 +36,29 @@
 
 			sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
 			Statement sqlStatement = connect.createStatement();
-			logger.info(sqlQuery);
-			ResultSet result = sqlStatement.executeQuery(sqlQuery);
+sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+logger.info(sqlQuery);
+sqlStatement2.setString(1, blabberUsername);
+ResultSet result = sqlStatement2.executeQuery();
 			result.next();
 
 			/* START BAD CODE ------*/
-			String event = "Removed account for blabber " + result.getString(1);
-			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
-			logger.info(sqlQuery);
-			sqlStatement.execute(sqlQuery);
+String event = "Removed account for blabber " + result.getString(1);
+    sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
+    logger.info(sqlQuery);
+    PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+    sqlStatement2.setString(1, blabberUsername);
+    sqlStatement2.setString(2, event);
+    sqlStatement2.execute();
 
 			sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
 			logger.info(sqlQuery);
-			sqlStatement.execute(sqlQuery);
+sqlQuery = "DELETE FROM users WHERE username = ?";
+logger.info(sqlQuery);
+PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery);
+sqlStatement2.setString(1, blabberUsername);
+sqlStatement2.execute();
 			/* END BAD CODE */
 
 		} catch (SQLException e) {

src/main/java/com/veracode/verademo/controller/BlabController.java

@@ -467,27 +467,22 @@ public String showBlabbers(
 		logger.info("User is Logged In - continuing...");
 
 		Connection connect = null;
-		PreparedStatement blabberQuery = null;
-
-		/* START BAD CODE */
-		String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at,"
-				+ " SUM(if(listeners.listener=?, 1, 0)) as listeners,"
-				+ " SUM(if(listeners.status='Active',1,0)) as listening"
-				+ " FROM users LEFT JOIN listeners ON users.username = listeners.blabber"
-				+ " WHERE users.username NOT IN (\"admin\",?)" + " GROUP BY users.username" + " ORDER BY " + sort + ";";
-
-		try {
-			logger.info("Getting Database connection");
-			// Get the Database Connection
-			Class.forName("com.mysql.jdbc.Driver");
-			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			// Find the Blabbers
-			logger.info(blabbersSql);
-			blabberQuery = connect.prepareStatement(blabbersSql);
-			blabberQuery.setString(1, username);
-			blabberQuery.setString(2, username);
-			ResultSet blabbersResults = blabberQuery.executeQuery();
+PreparedStatement blabberQuery = null;
+String blabbersSql = "SELECT users.username, " + " users.blab_name, " + " users.created_at, "
++ " SUM(if(listeners.listener=?, 1, 0)) as listeners, "
++ " SUM(if(listeners.status='Active', 1, 0)) as listening"
++ " FROM users LEFT JOIN listeners ON users.username = listeners.blabber"
++ " WHERE users.username NOT IN (\"admin\", ?)" + " GROUP BY users.username" + " ORDER BY ?;";
+try {
+    logger.info("Getting Database connection");
+    Class.forName("com.mysql.jdbc.Driver");
+    connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+    logger.info(blabbersSql);
+    blabberQuery = connect.prepareStatement(blabbersSql);
+    blabberQuery.setString(1, username);
+    blabberQuery.setString(2, username);
+    blabberQuery.setString(3, sort);
+    ResultSet blabbersResults = blabberQuery.executeQuery();
 			/* END BAD CODE */
 
 			List<Blabber> blabbers = new ArrayList<Blabber>();

src/main/java/com/veracode/verademo/controller/UserController.java

@@ -149,26 +149,22 @@
 		}
 
 		Connection connect = null;
-		Statement sqlStatement = null;
-
-		try {
-			// Get the Database Connection
-			logger.info("Creating the Database connection");
-			Class.forName("com.mysql.jdbc.Driver");
-			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			/* START BAD CODE */
-			// Execute the query
-			logger.info("Creating the Statement");
-			String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='"
-					+ username + "' and password='" + md5(password) + "';";
-			sqlStatement = connect.createStatement();
-			logger.info("Execute the Statement");
-			ResultSet result = sqlStatement.executeQuery(sqlQuery);
+PreparedStatement sqlStatement = null;
+try {
+    logger.info("Creating the Database connection");
+    Class.forName("com.mysql.jdbc.Driver");
+    connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+    logger.info("Creating the Statement");
+    String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username=? and password=?";
+    sqlStatement = connect.prepareStatement(sqlQuery);
+    sqlStatement.setString(1, username);
+    sqlStatement.setString(2, md5(password));
+    logger.info("Execute the Statement");
+    ResultSet result = sqlStatement.executeQuery();
 			/* END BAD CODE */
 
 			// Did we find exactly 1 user that matched?
 			if (result.first()) {
 				logger.info("User Found.");
 				// Remember the username as a courtesy.
 				response.addCookie(new Cookie("username", username));
@@ -235,24 +231,21 @@
 	@ResponseBody
 	public String showPasswordHint(String username)
 	{
-		logger.info("Entering password-hint with username: " + username);
-
-		if (username == null || username.isEmpty()) {
-			return "No username provided, please type in your username first";
-		}
-
-		try {
-			Class.forName("com.mysql.jdbc.Driver");
-
-			Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
-			logger.info(sql);
-			Statement statement = connect.createStatement();
-			ResultSet result = statement.executeQuery(sql);
+logger.info("Entering password-hint with username: " + username);
+    if (username == null || username.isEmpty()) {
+        return "No username provided, please type in your username first";
+    }
+    try {
+        Class.forName("com.mysql.jdbc.Driver");
+        Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+        String sql = "SELECT password_hint FROM users WHERE username = ?";
+        logger.info(sql);
+        PreparedStatement statement = connect.prepareStatement(sql);
+        statement.setString(1, username);
+        ResultSet result = statement.executeQuery();
 			if (result.first()) {
 				String password= result.getString("password_hint");
 				String formatString = "Username '" + username + "' has password: %.2s%s";
 				logger.info(formatString);
 				return String.format(
 						formatString,
@@ -313,8 +306,9 @@
 			Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
 
 			String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-			Statement statement = connect.createStatement();
-			ResultSet result = statement.executeQuery(sql);
+PreparedStatement statement = connect.prepareStatement("SELECT username FROM users WHERE username = ?");
+statement.setString(1, username);
+ResultSet result = statement.executeQuery();
 			if (result.first()) {
 				model.addAttribute("error", "Username '" + username + "' already exists!");
 				return "register";
@@ -360,29 +354,22 @@
 		}
 
 		Connection connect = null;
-		Statement sqlStatement = null;
-
-		try {
-			// Get the Database Connection
-			logger.info("Creating the Database connection");
-			Class.forName("com.mysql.jdbc.Driver");
-			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			/* START BAD CODE */
-			// Execute the query
-			String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"))
-					.format(Calendar.getInstance().getTime());
-			StringBuilder query = new StringBuilder();
-			query.append("insert into users (username, password, created_at, real_name, blab_name) values(");
-			query.append("'" + username + "',");
-			query.append("'" + password + "',");
-			query.append("'" + mysqlCurrentDateTime + "',");
-			query.append("'" + realName + "',");
-			query.append("'" + blabName + "'");
-			query.append(");");
-
-			sqlStatement = connect.createStatement();
-			sqlStatement.execute(query.toString());
+PreparedStatement sqlStatement = null;
+try {
+    logger.info("Creating the Database connection");
+    Class.forName("com.mysql.jdbc.Driver");
+    connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+    String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"))
+    .format(Calendar.getInstance().getTime());
+    String query = "insert into users (username, password, created_at, real_name, blab_name) values(?, ?, ?, ?, ?)";
+    sqlStatement = connect.prepareStatement(query);
+    sqlStatement.setString(1, username);
+    sqlStatement.setString(2, password);
+    sqlStatement.setString(3, mysqlCurrentDateTime);
+    sqlStatement.setString(4, realName);
+    sqlStatement.setString(5, blabName);
+    sqlStatement.execute();
+    logger.info(query);
 			logger.info(query.toString());
 			/* END BAD CODE */
 
@@ -492,19 +479,21 @@
 			String sqlMyEvents = "select event from users_history where blabber=\"" + username
 					+ "\" ORDER BY eventid DESC; ";
 			logger.info(sqlMyEvents);
-			Statement sqlStatement = connect.createStatement();
-			ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+PreparedStatement sqlStatement = connect.prepareStatement("select event from users_history where blabber=? ORDER BY eventid DESC");
+sqlStatement.setString(1, username);
+ResultSet userHistoryResult = sqlStatement.executeQuery();
 			/* END BAD CODE */
 
 			while (userHistoryResult.next()) {
 				events.add(userHistoryResult.getString(1));
 			}
 
 			// Get the users information
-			String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
-			logger.info(sql);
-			myInfo = connect.prepareStatement(sql);
-			ResultSet myInfoResults = myInfo.executeQuery();
+String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
+logger.info(sql);
+myInfo = connect.prepareStatement(sql);
+myInfo.setString(1, username);
+ResultSet myInfoResults = myInfo.executeQuery();
 			myInfoResults.next();
 
 			// Send these values to our View