@Override public PostModel findCertainPost(PostModel post) { Object[] params = new Object[] {post.getPostId()}; String fq = PostSql.findCertainPost; String dq = SqlInjectionFilter.getBoundSql(fq, params); logger.info(dq); int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate()); if (dq != null && (filter == 0 || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq)) || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) { // if want to get single row, It's correct using queryForObject() method -> only return single // row. // but in this case, for developing vulnerable web application, use query() method-> allow // return multi rows. List<PostModel> list = this.getJdbcTemplate() .query( dq, new RowMapper<PostModel>() { @Override public PostModel mapRow(ResultSet rs, int rowNum) throws SQLException { PostModel post = new PostModel(); post.setPostId(rs.getInt("post_id")); post.setMemberId(rs.getString("member_id")); post.setTitle(rs.getString("title")); post.setContents(rs.getString("contents")); post.setDate(rs.getString("post_date")); post.setEmpty(false); return post; } }); if (list.size() == 0) { post = new PostModel(); post.setEmpty(true); return post; } else { return list.get(0); } // } else return null; } else return new PostModel(); }
@Override public int deleteCertainPost(PostModel post) { Object[] params = new Object[] {post.getPostId()}; String fq = PostSql.deleteCertainPost; String dq = SqlInjectionFilter.getBoundSql(fq, params); logger.info(dq); int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate()); if (dq != null && (filter == 0 || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq)) || (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) { this.getJdbcTemplate().update(dq); return 0; } else return 1; }
@Override public List<PostModel> findPosts(Map<String, Object> map) { Object[] params = new Object[] {map.get(Messages.currentkey)}; String fq = PostSql.findPosts; String dq = SqlInjectionFilter.getBoundSql(fq, params); logger.info(dq); int filter = SqlInjectionFilter.isFiltered(this.getJdbcTemplate()); // if (dq != null && (filter == 0 || ((filter == 1 && !SqlInjectionFilter.isSQLiR(fq, dq)) || // (filter == 2 && !SqlInjectionFilter.isSQLiQ(fq, dq))))) { try { return this.getJdbcTemplate() .query( dq, new RowMapper<PostModel>() { @Override public PostModel mapRow(ResultSet rs, int rowNum) throws SQLException { PostModel post = new PostModel(); post.setPostId(rs.getInt("post_id")); post.setMemberId(rs.getString("member_id")); post.setTitle(rs.getString("title")); post.setContents(rs.getString("contents")); post.setDate(rs.getString("post_date")); post.setEmpty(false); return post; } }); } catch (EmptyResultDataAccessException e) { return new ArrayList<PostModel>(); } // } else return null; }