@Override public PostModel findCertainPost(PostModel post) { Object[] params = new Object[] {post.getPostId()}; String fq = PostSql.findCertainPost; String dq = SqlInjectionFilter.getBoundSql(fq, params); logger.info(dq); int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate()); if (dq != null && (filter == 0 || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq)) || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) { // if want to get single row, It's correct using queryForObject() method -> only return single // row. // but in this case, for developing vulnerable web application, use query() method-> allow // return multi rows. List<PostModel> list = this.getJdbcTemplate() .query( dq, new RowMapper<PostModel>() { @Override public PostModel mapRow(ResultSet rs, int rowNum) throws SQLException { PostModel post = new PostModel(); post.setPostId(rs.getInt("post_id")); post.setMemberId(rs.getString("member_id")); post.setTitle(rs.getString("title")); post.setContents(rs.getString("contents")); post.setDate(rs.getString("post_date")); post.setEmpty(false); return post; } }); if (list.size() == 0) { post = new PostModel(); post.setEmpty(true); return post; } else { return list.get(0); } // } else return null; } else return new PostModel(); }
@Override public int updateCertainPost(PostModel post) { Object[] params = new Object[] {post.getTitle(), post.getContents(), post.getDate(), post.getPostId()}; String fq = PostSql.updateCertainPost; String dq = SqlInjectionFilter.getBoundSql(fq, params); logger.info(dq); int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate()); if (dq != null && (filter == 0 || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq)) || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) { this.getJdbcTemplate().update(dq); return 0; } else return 1; }