/**
* Execute a SQL INSERT, UPDATE or DELETE statement. In addition SQL statements that return
* nothing such as SQL DDL statements can be executed
*
* <p>Any IDs generated for AUTO_INCREMENT fields can be retrieved by casting this Statement to
* org.gjt.mm.mysql.Statement and calling the getLastInsertID() method.
*
* @param Sql a SQL statement
* @return either a row count, or 0 for SQL commands
* @exception java.sql.SQLException if a database access error occurs
*/
public int executeUpdate(String Sql) throws java.sql.SQLException {
if (Driver.trace) {
Object[] Args = {Sql};
Debug.methodCall(this, "executeUpdate", Args);
}
if (_escapeProcessing) {
Sql = _Escaper.escapeSQL(Sql);
}
if (Sql.indexOf("||") != -1) {
Sql = _Escaper.doConcat(Sql);
}
// The checking and changing of catalogs
// must happen in sequence, so synchronize
// on the same mutex that _Conn is using
ResultSet RS = null;
synchronized (_Conn.getMutex()) {
String OldCatalog = null;
if (!_Conn.getCatalog().equals(_Catalog)) {
OldCatalog = _Conn.getCatalog();
_Conn.setCatalog(_Catalog);
}
RS = _Conn.execSQL(Sql, -1);
RS.setConnection(_Conn);
if (OldCatalog != null) {
_Conn.setCatalog(OldCatalog);
}
}
if (RS.reallyResult()) {
throw new java.sql.SQLException("Results returned for UPDATE ONLY.", "01S03");
} else {
_update_count = RS.getUpdateCount();
int truncated_update_count = 0;
if (_update_count > Integer.MAX_VALUE) {
truncated_update_count = Integer.MAX_VALUE;
} else {
truncated_update_count = (int) _update_count;
}
_last_insert_id = RS.getUpdateID();
return truncated_update_count;
}
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
data = System.getProperty("user.home");
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B() - uses goodsource and badsink */
private void goodG2B() throws Throwable {
String data;
/* FIX: Use a hardcoded string */
data = "foo";
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_FIVE == 5) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B1() - use goodsource and badsink by setting the variable to false instead of true */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
goodG2B1_private = false;
data = goodG2B1_source(request, response);
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
private void goodG2B1() throws Throwable {
String data;
goodG2B1PublicStatic = false;
data =
(new CWE15_External_Control_of_System_or_Configuration_Setting__PropertiesFile_22b())
.goodG2B1Source();
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2BSink(byte[] dataSerialized) throws Throwable {
/* unserialize data */
ByteArrayInputStream streamByteArrayInput = null;
ObjectInputStream streamObjectInput = null;
try {
streamByteArrayInput = new ByteArrayInputStream(dataSerialized);
streamObjectInput = new ObjectInputStream(streamByteArrayInput);
String data = (String) streamObjectInput.readObject();
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO);
} catch (ClassNotFoundException exceptClassNotFound) {
IO.logger.log(
Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound);
} finally {
/* clean up stream reading objects */
try {
if (streamObjectInput != null) {
streamObjectInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO);
}
try {
if (streamByteArrayInput != null) {
streamByteArrayInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO);
}
}
}
private void reset(boolean known_resolved_txn) throws SQLException {
ensureOkay();
C3P0ImplUtils.resetTxnState(
physicalConnection,
forceIgnoreUnresolvedTransactions,
autoCommitOnClose,
known_resolved_txn);
if (isolation_lvl_nondefault) {
physicalConnection.setTransactionIsolation(dflt_txn_isolation);
isolation_lvl_nondefault = false;
}
if (catalog_nondefault) {
physicalConnection.setCatalog(dflt_catalog);
catalog_nondefault = false;
}
if (holdability_nondefault) // we don't test if holdability is supported, 'cuz it can never go
// nondefault if it's not.
{
physicalConnection.setHoldability(dflt_holdability);
holdability_nondefault = false;
}
try {
physicalConnection.setReadOnly(false);
} catch (Throwable t) {
if (logger.isLoggable(MLevel.FINE))
logger.log(
MLevel.FINE,
"A Throwable occurred while trying to reset the readOnly property of our Connection to false!",
t);
}
try {
if (supports_setTypeMap) physicalConnection.setTypeMap(Collections.EMPTY_MAP);
} catch (Throwable t) {
if (logger.isLoggable(MLevel.FINE))
logger.log(
MLevel.FINE,
"A Throwable occurred while trying to reset the typeMap property of our Connection to Collections.EMPTY_MAP!",
t);
}
}
public void badSink(String data) throws Throwable {
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
public void badSink() throws Throwable {
String data = CWE15_External_Control_of_System_or_Configuration_Setting__Property_68a.data;
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/**
* Execute a SQL statement that retruns a single ResultSet
*
* @param Sql typically a static SQL SELECT statement
* @return a ResulSet that contains the data produced by the query
* @exception java.sql.SQLException if a database access error occurs
*/
public java.sql.ResultSet executeQuery(String Sql) throws java.sql.SQLException {
if (Driver.trace) {
Object[] Args = {Sql};
Debug.methodCall(this, "executeQuery", Args);
}
if (_escapeProcessing) {
Sql = _Escaper.escapeSQL(Sql);
}
if (Sql.indexOf("||") != -1) {
Sql = _Escaper.doConcat(Sql);
}
if (_Results != null) {
_Results.close();
}
// If there isn't a limit clause in the SQL
// then limit the number of rows to return in
// an efficient manner. Only do this if
// setMaxRows() hasn't been used on any Statements
// generated from the current Connection (saves
// a query, and network traffic).
synchronized (_Conn.getMutex()) {
String OldCatalog = null;
if (!_Conn.getCatalog().equals(_Catalog)) {
OldCatalog = _Conn.getCatalog();
_Conn.setCatalog(_Catalog);
}
if (_Conn.useMaxRows()) {
// We need to execute this all together
// So synchronize on the Connection's mutex (because
// even queries going through there synchronize
// on the connection
if (Sql.toUpperCase().indexOf("LIMIT") != -1) {
_Results = _Conn.execSQL(Sql, _max_rows);
} else {
if (_max_rows <= 0) {
_Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + MysqlDefs.MAX_ROWS, -1);
} else {
_Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + _max_rows, -1);
}
_Results = _Conn.execSQL(Sql, -1);
if (OldCatalog != null) {
_Conn.setCatalog(OldCatalog);
}
}
} else {
_Results = _Conn.execSQL(Sql, -1);
}
if (OldCatalog != null) {
_Conn.setCatalog(OldCatalog);
}
}
_last_insert_id = _Results.getUpdateID();
_NextResults = _Results;
_Results.setConnection(_Conn);
return _Results;
}
/**
* Execute a SQL statement that may return multiple results. We don't have to worry about this
* since we do not support multiple ResultSets. You can use getResultSet or getUpdateCount to
* retrieve the result.
*
* @param sql any SQL statement
* @return true if the next result is a ResulSet, false if it is an update count or there are no
* more results
* @exception java.sql.SQLException if a database access error occurs
*/
public boolean execute(String Sql) throws java.sql.SQLException {
if (Driver.trace) {
Object[] Args = {Sql};
Debug.methodCall(this, "execute", Args);
}
if (_escapeProcessing) {
Sql = _Escaper.escapeSQL(Sql);
}
if (Sql.indexOf("||") != -1) {
Sql = _Escaper.doConcat(Sql);
}
if (_Results != null) {
_Results.close();
}
ResultSet RS = null;
// If there isn't a limit clause in the SQL
// then limit the number of rows to return in
// an efficient manner. Only do this if
// setMaxRows() hasn't been used on any Statements
// generated from the current Connection (saves
// a query, and network traffic).
synchronized (_Conn.getMutex()) {
String OldCatalog = null;
if (!_Conn.getCatalog().equals(_Catalog)) {
OldCatalog = _Conn.getCatalog();
_Conn.setCatalog(_Catalog);
}
if (_Conn.useMaxRows()) {
if (Sql.toUpperCase().indexOf("LIMIT") != -1) {
RS = _Conn.execSQL(Sql, _max_rows);
} else {
if (_max_rows <= 0) {
_Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + MysqlDefs.MAX_ROWS, -1);
} else {
_Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + _max_rows, -1);
}
RS = _Conn.execSQL(Sql, -1);
}
} else {
RS = _Conn.execSQL(Sql, -1);
}
if (OldCatalog != null) {
_Conn.setCatalog(OldCatalog);
}
}
_last_insert_id = RS.getUpdateID();
if (RS != null) {
_Results = RS;
}
RS.setConnection(_Conn);
return (RS != null && RS.reallyResult());
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_FIVE == 5) {
data = ""; /* Initialize data */
{
File file = new File("C:\\data.txt");
FileInputStream streamFileInput = null;
InputStreamReader readerInputStream = null;
BufferedReader readerBuffered = null;
try {
/* read string from file into data */
streamFileInput = new FileInputStream(file);
readerInputStream = new InputStreamReader(streamFileInput, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from a file */
/* This will be reading the first "line" of the file, which
* could be very long if there are little or no newlines in the file */
data = readerBuffered.readLine();
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading objects */
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
try {
if (streamFileInput != null) {
streamFileInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
public void setCatalog(String catalog) throws SQLException {
con.setCatalog(catalog);
}
@Setter
public void setCatalog(String value) throws SQLException {
connection.setCatalog(value);
}
public void setCatalog(String s) throws SQLException {
conn.setCatalog(s);
}