コード例 #1
0
ファイル: Statement.java プロジェクト: TaylorFarrar/NAPROC-13
  /**
   * Execute a SQL INSERT, UPDATE or DELETE statement. In addition SQL statements that return
   * nothing such as SQL DDL statements can be executed
   *
   * <p>Any IDs generated for AUTO_INCREMENT fields can be retrieved by casting this Statement to
   * org.gjt.mm.mysql.Statement and calling the getLastInsertID() method.
   *
   * @param Sql a SQL statement
   * @return either a row count, or 0 for SQL commands
   * @exception java.sql.SQLException if a database access error occurs
   */
  public int executeUpdate(String Sql) throws java.sql.SQLException {
    if (Driver.trace) {
      Object[] Args = {Sql};
      Debug.methodCall(this, "executeUpdate", Args);
    }

    if (_escapeProcessing) {
      Sql = _Escaper.escapeSQL(Sql);
    }

    if (Sql.indexOf("||") != -1) {
      Sql = _Escaper.doConcat(Sql);
    }

    // The checking and changing of catalogs
    // must happen in sequence, so synchronize
    // on the same mutex that _Conn is using

    ResultSet RS = null;

    synchronized (_Conn.getMutex()) {
      String OldCatalog = null;

      if (!_Conn.getCatalog().equals(_Catalog)) {
        OldCatalog = _Conn.getCatalog();
        _Conn.setCatalog(_Catalog);
      }

      RS = _Conn.execSQL(Sql, -1);

      RS.setConnection(_Conn);

      if (OldCatalog != null) {
        _Conn.setCatalog(OldCatalog);
      }
    }

    if (RS.reallyResult()) {
      throw new java.sql.SQLException("Results returned for UPDATE ONLY.", "01S03");
    } else {
      _update_count = RS.getUpdateCount();

      int truncated_update_count = 0;

      if (_update_count > Integer.MAX_VALUE) {
        truncated_update_count = Integer.MAX_VALUE;
      } else {
        truncated_update_count = (int) _update_count;
      }

      _last_insert_id = RS.getUpdateID();

      return truncated_update_count;
    }
  }
  /* uses badsource and badsink */
  public void bad() throws Throwable {
    String data;

    /* get system property user.home */
    /* POTENTIAL FLAW: Read data from a system property */
    data = System.getProperty("user.home");

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B() - uses goodsource and badsink */
  private void goodG2B() throws Throwable {
    String data;

    /* FIX: Use a hardcoded string */
    data = "foo";

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B2() - use goodsource and badsink by reversing statements in if */
  private void goodG2B2() throws Throwable {
    String data;
    if (PRIVATE_STATIC_FINAL_FIVE == 5) {
      /* FIX: Use a hardcoded string */
      data = "foo";
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    }

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B1() - use goodsource and badsink by setting the variable to false instead of true */
  private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    goodG2B1_private = false;
    data = goodG2B1_source(request, response);

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
  private void goodG2B1() throws Throwable {
    String data;

    goodG2B1PublicStatic = false;
    data =
        (new CWE15_External_Control_of_System_or_Configuration_Setting__PropertiesFile_22b())
            .goodG2B1Source();

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B() - use goodsource and badsink */
  public void goodG2BSink(byte[] dataSerialized) throws Throwable {
    /* unserialize data */
    ByteArrayInputStream streamByteArrayInput = null;
    ObjectInputStream streamObjectInput = null;

    try {
      streamByteArrayInput = new ByteArrayInputStream(dataSerialized);
      streamObjectInput = new ObjectInputStream(streamByteArrayInput);
      String data = (String) streamObjectInput.readObject();

      Connection dbConnection = null;

      try {
        dbConnection = IO.getDBConnection();

        /* POTENTIAL FLAW: Set the catalog name with the value of data
         * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
        dbConnection.setCatalog(data);
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }

    } catch (IOException exceptIO) {
      IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO);
    } catch (ClassNotFoundException exceptClassNotFound) {
      IO.logger.log(
          Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound);
    } finally {
      /* clean up stream reading objects */
      try {
        if (streamObjectInput != null) {
          streamObjectInput.close();
        }
      } catch (IOException exceptIO) {
        IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO);
      }

      try {
        if (streamByteArrayInput != null) {
          streamByteArrayInput.close();
        }
      } catch (IOException exceptIO) {
        IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO);
      }
    }
  }
コード例 #8
0
  private void reset(boolean known_resolved_txn) throws SQLException {
    ensureOkay();
    C3P0ImplUtils.resetTxnState(
        physicalConnection,
        forceIgnoreUnresolvedTransactions,
        autoCommitOnClose,
        known_resolved_txn);
    if (isolation_lvl_nondefault) {
      physicalConnection.setTransactionIsolation(dflt_txn_isolation);
      isolation_lvl_nondefault = false;
    }
    if (catalog_nondefault) {
      physicalConnection.setCatalog(dflt_catalog);
      catalog_nondefault = false;
    }
    if (holdability_nondefault) // we don't test if holdability is supported, 'cuz it can never go
                                // nondefault if it's not.
    {
      physicalConnection.setHoldability(dflt_holdability);
      holdability_nondefault = false;
    }

    try {
      physicalConnection.setReadOnly(false);
    } catch (Throwable t) {
      if (logger.isLoggable(MLevel.FINE))
        logger.log(
            MLevel.FINE,
            "A Throwable occurred while trying to reset the readOnly property of our Connection to false!",
            t);
    }

    try {
      if (supports_setTypeMap) physicalConnection.setTypeMap(Collections.EMPTY_MAP);
    } catch (Throwable t) {
      if (logger.isLoggable(MLevel.FINE))
        logger.log(
            MLevel.FINE,
            "A Throwable occurred while trying to reset the typeMap property of our Connection to Collections.EMPTY_MAP!",
            t);
    }
  }
  public void badSink(String data) throws Throwable {

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  public void badSink() throws Throwable {
    String data = CWE15_External_Control_of_System_or_Configuration_Setting__Property_68a.data;

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
コード例 #11
0
ファイル: Statement.java プロジェクト: TaylorFarrar/NAPROC-13
  /**
   * Execute a SQL statement that retruns a single ResultSet
   *
   * @param Sql typically a static SQL SELECT statement
   * @return a ResulSet that contains the data produced by the query
   * @exception java.sql.SQLException if a database access error occurs
   */
  public java.sql.ResultSet executeQuery(String Sql) throws java.sql.SQLException {
    if (Driver.trace) {
      Object[] Args = {Sql};
      Debug.methodCall(this, "executeQuery", Args);
    }

    if (_escapeProcessing) {
      Sql = _Escaper.escapeSQL(Sql);
    }

    if (Sql.indexOf("||") != -1) {
      Sql = _Escaper.doConcat(Sql);
    }

    if (_Results != null) {
      _Results.close();
    }

    // If there isn't a limit clause in the SQL
    // then limit the number of rows to return in
    // an efficient manner. Only do this if
    // setMaxRows() hasn't been used on any Statements
    // generated from the current Connection (saves
    // a query, and network traffic).

    synchronized (_Conn.getMutex()) {
      String OldCatalog = null;

      if (!_Conn.getCatalog().equals(_Catalog)) {
        OldCatalog = _Conn.getCatalog();
        _Conn.setCatalog(_Catalog);
      }

      if (_Conn.useMaxRows()) {

        // We need to execute this all together
        // So synchronize on the Connection's mutex (because
        // even queries going through there synchronize
        // on the connection

        if (Sql.toUpperCase().indexOf("LIMIT") != -1) {
          _Results = _Conn.execSQL(Sql, _max_rows);
        } else {
          if (_max_rows <= 0) {
            _Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + MysqlDefs.MAX_ROWS, -1);
          } else {
            _Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + _max_rows, -1);
          }

          _Results = _Conn.execSQL(Sql, -1);

          if (OldCatalog != null) {
            _Conn.setCatalog(OldCatalog);
          }
        }
      } else {
        _Results = _Conn.execSQL(Sql, -1);
      }

      if (OldCatalog != null) {
        _Conn.setCatalog(OldCatalog);
      }
    }

    _last_insert_id = _Results.getUpdateID();
    _NextResults = _Results;
    _Results.setConnection(_Conn);
    return _Results;
  }
コード例 #12
0
ファイル: Statement.java プロジェクト: TaylorFarrar/NAPROC-13
  /**
   * Execute a SQL statement that may return multiple results. We don't have to worry about this
   * since we do not support multiple ResultSets. You can use getResultSet or getUpdateCount to
   * retrieve the result.
   *
   * @param sql any SQL statement
   * @return true if the next result is a ResulSet, false if it is an update count or there are no
   *     more results
   * @exception java.sql.SQLException if a database access error occurs
   */
  public boolean execute(String Sql) throws java.sql.SQLException {
    if (Driver.trace) {
      Object[] Args = {Sql};
      Debug.methodCall(this, "execute", Args);
    }

    if (_escapeProcessing) {
      Sql = _Escaper.escapeSQL(Sql);
    }

    if (Sql.indexOf("||") != -1) {
      Sql = _Escaper.doConcat(Sql);
    }

    if (_Results != null) {
      _Results.close();
    }

    ResultSet RS = null;

    // If there isn't a limit clause in the SQL
    // then limit the number of rows to return in
    // an efficient manner. Only do this if
    // setMaxRows() hasn't been used on any Statements
    // generated from the current Connection (saves
    // a query, and network traffic).

    synchronized (_Conn.getMutex()) {
      String OldCatalog = null;

      if (!_Conn.getCatalog().equals(_Catalog)) {
        OldCatalog = _Conn.getCatalog();
        _Conn.setCatalog(_Catalog);
      }

      if (_Conn.useMaxRows()) {
        if (Sql.toUpperCase().indexOf("LIMIT") != -1) {
          RS = _Conn.execSQL(Sql, _max_rows);
        } else {
          if (_max_rows <= 0) {
            _Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + MysqlDefs.MAX_ROWS, -1);
          } else {
            _Conn.execSQL("SET OPTION SQL_SELECT_LIMIT=" + _max_rows, -1);
          }
          RS = _Conn.execSQL(Sql, -1);
        }
      } else {
        RS = _Conn.execSQL(Sql, -1);
      }

      if (OldCatalog != null) {
        _Conn.setCatalog(OldCatalog);
      }
    }

    _last_insert_id = RS.getUpdateID();

    if (RS != null) {
      _Results = RS;
    }

    RS.setConnection(_Conn);

    return (RS != null && RS.reallyResult());
  }
  /* uses badsource and badsink */
  public void bad() throws Throwable {
    String data;
    if (PRIVATE_STATIC_FINAL_FIVE == 5) {
      data = ""; /* Initialize data */
      {
        File file = new File("C:\\data.txt");
        FileInputStream streamFileInput = null;
        InputStreamReader readerInputStream = null;
        BufferedReader readerBuffered = null;
        try {
          /* read string from file into data */
          streamFileInput = new FileInputStream(file);
          readerInputStream = new InputStreamReader(streamFileInput, "UTF-8");
          readerBuffered = new BufferedReader(readerInputStream);
          /* POTENTIAL FLAW: Read data from a file */
          /* This will be reading the first "line" of the file, which
           * could be very long if there are little or no newlines in the file */
          data = readerBuffered.readLine();
        } catch (IOException exceptIO) {
          IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
        } finally {
          /* Close stream reading objects */
          try {
            if (readerBuffered != null) {
              readerBuffered.close();
            }
          } catch (IOException exceptIO) {
            IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
          }

          try {
            if (readerInputStream != null) {
              readerInputStream.close();
            }
          } catch (IOException exceptIO) {
            IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
          }

          try {
            if (streamFileInput != null) {
              streamFileInput.close();
            }
          } catch (IOException exceptIO) {
            IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    }

    Connection dbConnection = null;

    try {
      dbConnection = IO.getDBConnection();

      /* POTENTIAL FLAW: Set the catalog name with the value of data
       * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
      dbConnection.setCatalog(data);
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
コード例 #14
0
 public void setCatalog(String catalog) throws SQLException {
   con.setCatalog(catalog);
 }
コード例 #15
0
ファイル: PSqlConnection.java プロジェクト: lzpfmh/jphp
 @Setter
 public void setCatalog(String value) throws SQLException {
   connection.setCatalog(value);
 }
コード例 #16
0
ファイル: DBManager.java プロジェクト: nh13/IGV
 public void setCatalog(String s) throws SQLException {
   conn.setCatalog(s);
 }