Example #1
0
  @Override
  public PostModel findCertainPost(PostModel post) {
    Object[] params = new Object[] {post.getPostId()};
    String fq = PostSql.findCertainPost;
    String dq = SqlInjectionFilter.getBoundSql(fq, params);

    logger.info(dq);

    int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate());

    if (dq != null
        && (filter == 0
            || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq))
                || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) {
      // if want to get single row, It's correct using queryForObject() method -> only return single
      // row.
      // but in this case, for developing vulnerable web application, use query() method-> allow
      // return multi rows.
      List<PostModel> list =
          this.getJdbcTemplate()
              .query(
                  dq,
                  new RowMapper<PostModel>() {
                    @Override
                    public PostModel mapRow(ResultSet rs, int rowNum) throws SQLException {
                      PostModel post = new PostModel();
                      post.setPostId(rs.getInt("post_id"));
                      post.setMemberId(rs.getString("member_id"));
                      post.setTitle(rs.getString("title"));
                      post.setContents(rs.getString("contents"));
                      post.setDate(rs.getString("post_date"));
                      post.setEmpty(false);
                      return post;
                    }
                  });
      if (list.size() == 0) {
        post = new PostModel();
        post.setEmpty(true);
        return post;
      } else {
        return list.get(0);
      }

      //		} else return null;
    } else return new PostModel();
  }
Example #2
0
  @Override
  public int updateCertainPost(PostModel post) {
    Object[] params =
        new Object[] {post.getTitle(), post.getContents(), post.getDate(), post.getPostId()};
    String fq = PostSql.updateCertainPost;
    String dq = SqlInjectionFilter.getBoundSql(fq, params);

    logger.info(dq);

    int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate());

    if (dq != null
        && (filter == 0
            || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq))
                || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) {
      this.getJdbcTemplate().update(dq);
      return 0;
    } else return 1;
  }