예제 #1
0
 public void service(HttpServletRequest request, HttpServletResponse response)
     throws ServletException {
   try {
     ConnectionPool conPool = getConnectionPool();
     if (!realAuthentication(request, conPool)) {
       String queryString = request.getQueryString();
       if (request.getQueryString() == null) {
         queryString = "";
       }
       // if user is not authenticated send to signin
       response.sendRedirect(
           response.encodeRedirectURL(URLAUTHSIGNIN + "?" + URLBUY + "?" + queryString));
     } else {
       response.setHeader("Cache-Control", "no-cache");
       response.setHeader("Expires", "0");
       response.setHeader("Pragma", "no-cache");
       response.setContentType("text/html");
       String errorMessage = processRequest(request, response, conPool);
       if (errorMessage != null) {
         request.setAttribute(StringInterface.ERRORPAGEATTR, errorMessage);
         RequestDispatcher rd = getServletContext().getRequestDispatcher(PATHUSERERROR);
         rd.include(request, response);
       }
     }
   } catch (Exception e) {
     throw new ServletException(e);
   }
 }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;
    if (privateFive == 5) {
      data = ""; /* initialize data in case id is not in query string */
      /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
      {
        StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
        while (tokenizer.hasMoreTokens()) {
          String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
          if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
            data = token.substring(3); /* set data to "foo" */
            break; /* exit while loop */
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    }

    if (privateFive == 5) {
      Connection dbConnection = null;
      PreparedStatement sqlStatement = null;
      try {
        /* FIX: Use prepared statement and execute (properly) */
        dbConnection = IO.getDBConnection();
        sqlStatement =
            dbConnection.prepareStatement(
                "insert into users (status) values ('updated') where name=?");
        sqlStatement.setString(1, data);
        Boolean result = sqlStatement.execute();
        if (result) {
          IO.writeLine("Name, " + data + ", updated successfully");
        } else {
          IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
      } finally {
        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    (new CWE89_SQL_Injection__getQueryStringServlet_executeUpdate_53b())
        .bad_sink(data, request, response);
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    {
      try {
        int iConversion = Integer.valueOf(data);
      } catch (Exception e) {
        e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */
      }
    }

    if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
		  We need the "if(true)" because the Java Language Spec requires that
		  unreachable code generate a compiler error */

    /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
    {
      try {
        int iConversion = Integer.valueOf(data);
      } catch (Exception e) {
        IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */
      }
    }
  }
예제 #5
0
 public void doGet(HttpServletRequest request, HttpServletResponse response) {
   response.setContentType("text/html");
   PrintWriter webPageOutput = null;
   try {
     webPageOutput = response.getWriter();
   } catch (IOException error) {
     Routines.writeToLog(servletName, "getWriter error : " + error, false, context);
   }
   HttpSession session = request.getSession();
   session.setAttribute("redirect", request.getRequestURL() + "?" + request.getQueryString());
   Connection database = null;
   try {
     database = pool.getConnection(servletName);
   } catch (SQLException error) {
     Routines.writeToLog(servletName, "Unable to connect to database : " + error, false, context);
   }
   if (Routines.loginCheck(true, request, response, database, context)) {
     return;
   }
   String server = context.getInitParameter("server");
   boolean liveSever = false;
   if (server == null) {
     server = "";
   }
   if (server.equals("live")) {
     response.setHeader("Refresh", "60");
   }
   Routines.WriteHTMLHead(
       "View System Log", // title
       false, // showMenu
       13, // menuHighLight
       false, // seasonsMenu
       false, // weeksMenu
       false, // scores
       false, // standings
       false, // gameCenter
       false, // schedules
       false, // previews
       false, // teamCenter
       false, // draft
       database, // database
       request, // request
       response, // response
       webPageOutput, // webPageOutput
       context); // context
   webPageOutput.println("<CENTER>");
   webPageOutput.println(
       "<IMG SRC=\"../Images/Admin.gif\"" + " WIDTH='125' HEIGHT='115' ALT='Admin'>");
   webPageOutput.println("</CENTER>");
   pool.returnConnection(database);
   webPageOutput.println(Routines.spaceLines(1));
   Routines.tableStart(false, webPageOutput);
   Routines.tableHeader("System Log", 0, webPageOutput);
   Routines.tableDataStart(true, false, false, true, true, 0, 0, "scoresrow", webPageOutput);
   boolean firstLine = true;
   int numOfLines = 0;
   try {
     String file = context.getRealPath("/");
     FileReader logFile = new FileReader(file + "/Data/log.txt");
     BufferedReader logFileBuffer = new BufferedReader(logFile);
     boolean endOfFile = false;
     while (!endOfFile) {
       String logFileText = logFileBuffer.readLine();
       if (logFileText == null) {
         endOfFile = true;
       } else {
         if (firstLine) {
           firstLine = false;
         } else {
           webPageOutput.println(Routines.spaceLines(1));
         }
         numOfLines++;
         webPageOutput.println(logFileText);
       }
     }
     logFileBuffer.close();
   } catch (IOException error) {
     Routines.writeToLog(servletName, "Problem with log file : " + error, false, context);
   }
   Routines.tableDataEnd(false, true, true, webPageOutput);
   Routines.tableEnd(webPageOutput);
   if (numOfLines < 20) {
     webPageOutput.println(Routines.spaceLines(20 - numOfLines));
   }
   Routines.WriteHTMLTail(request, response, webPageOutput);
 }
  /* goodB2G() - use badsource and goodsink */
  private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    if (!data.equals("Testing.test")
        && /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
      return;
    }

    Class<?> c = Class.forName(data);
    Object instance = c.newInstance();

    IO.writeLine(instance.toString());
  }
  /* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch  */
  private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    int data;
    switch (6) {
      case 6:
        {
          Logger log_bad = Logger.getLogger("local-logger");
          /* init Data$ */
          data = -1;
          /* parse the query string for value of 'id' */
          String id_str = null;
          StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
          while (st.hasMoreTokens()) {
            String token = st.nextToken();
            int i = token.indexOf("=");
            if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
              id_str = token.substring(i + 1);
              break;
            }
          }
          if (id_str != null) {
            Connection conn = null;
            PreparedStatement statement = null;
            ResultSet rs = null;
            try {
              int id = Integer.parseInt(id_str);
              conn = IO.getDBConnection();
              statement = conn.prepareStatement("select * from pages where id=?");
              /* FLAW: no check to see whether the user has privileges to view the data */
              statement.setInt(1, id);
              rs = statement.executeQuery();
              String s_data = rs.toString();
              data = Integer.parseInt(s_data.trim());
            } catch (SQLException se) {
              log_bad.warning("Error");
            } finally {
              /* clean up database objects */
              try {
                if (rs != null) {
                  rs.close();
                }
              } catch (SQLException se) {
                log_bad.warning("Error closing rs");
              } finally {
                try {
                  if (statement != null) {
                    statement.close();
                  }
                } catch (SQLException se) {
                  log_bad.warning("Error closing statement");
                } finally {
                  try {
                    if (conn != null) {
                      conn.close();
                    }
                  } catch (SQLException se) {
                    log_bad.warning("Error closing conn");
                  }
                }
              }
            }
          }
        }
        break;
      default:
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        {
          java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
          /* FIX: Use a hardcoded number that won't cause underflow, overflow,
          divide by zero, or loss-of-precision issues */
          data = 2;
        }
        break;
    }

    switch (7) {
      case 7:
        {
          /* FIX: test for a zero modulus */
          if (data != 0) {
            IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n");
          } else {
            IO.writeLine("This would result in a modulo by zero");
          }
        }
        break;
      default:
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        {
          /* POTENTIAL FLAW: Zero modulus will cause an issue.  An integer division will
          result in an exception.  */
          IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n");
        }
        break;
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;
    if (IO.static_returns_t_or_f()) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = "";
      /* parse the query string for value of 'id' */
      String id_str = null;
      StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
      while (st.hasMoreTokens()) {
        String token = st.nextToken();
        int i = token.indexOf("=");
        if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
          id_str = token.substring(i + 1);
          break;
        }
      }
      if (id_str != null) {
        Connection conn = null;
        PreparedStatement statement = null;
        ResultSet rs = null;
        try {
          int id = Integer.parseInt(id_str);
          conn = IO.getDBConnection();
          statement = conn.prepareStatement("select * from pages where id=?");
          /* FLAW: no check to see whether the user has privileges to view the data */
          statement.setInt(1, id);
          rs = statement.executeQuery();
          data = rs.toString();
        } catch (SQLException se) {
          log_bad.warning("Error");
        } finally {
          /* clean up database objects */
          try {
            if (rs != null) {
              rs.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing rs");
          } finally {
            try {
              if (statement != null) {
                statement.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing statement");
            } finally {
              try {
                if (conn != null) {
                  conn.close();
                }
              } catch (SQLException se) {
                log_bad.warning("Error closing conn");
              }
            }
          }
        }
      }
    } else {

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    if (IO.static_returns_t_or_f()) {
      String names[] = data.split("-");
      int iSuccess = 0;
      Logger log2 = Logger.getLogger("local-logger");
      Connection conn_tmp2 = null;
      Statement sqlstatement = null;
      try {
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.createStatement();
        for (int i = 0; i < names.length; ++i) {
          /* POTENTIAL FLAW: take user input and place into dynamic sql query */
          sqlstatement.addBatch(
              "update users set hitcount=hitcount+1 where name='" + names[i] + "'");
        }
        int dbResults[] = sqlstatement.executeBatch();
        for (int i = 0; i < names.length; ++i) {
          if (dbResults[i] > 0) {
            iSuccess++;
          }
        }
        IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    } else {

      String names[] = data.split("-");
      int iSuccess = 0;

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      PreparedStatement sqlstatement = null;

      try {
        /* FIX: use prepared sqlstatement */
        conn_tmp2 = IO.getDBConnection();
        sqlstatement =
            conn_tmp2.prepareStatement("update users set hitcount=hitcount+1 where name=?");

        for (int i = 0; i < names.length; ++i) {
          sqlstatement.setString(1, names[i]);
          sqlstatement.addBatch();
        }

        int dbResults[] = sqlstatement.executeBatch();

        for (int i = 0; i < names.length; ++i) {
          if (dbResults[i] > 0) {
            iSuccess++;
          }
        }

        IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch  */
  private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    int data;
    switch (6) {
      case 6:
        {
          Logger log_bad = Logger.getLogger("local-logger");
          /* init Data$ */
          data = -1;
          /* parse the query string for value of 'id' */
          String id_str = null;
          StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
          while (st.hasMoreTokens()) {
            String token = st.nextToken();
            int i = token.indexOf("=");
            if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
              id_str = token.substring(i + 1);
              break;
            }
          }
          if (id_str != null) {
            Connection conn = null;
            PreparedStatement statement = null;
            ResultSet rs = null;
            try {
              int id = Integer.parseInt(id_str);
              conn = IO.getDBConnection();
              statement = conn.prepareStatement("select * from pages where id=?");
              /* FLAW: no check to see whether the user has privileges to view the data */
              statement.setInt(1, id);
              rs = statement.executeQuery();
              String s_data = rs.toString();
              data = Integer.parseInt(s_data.trim());
            } catch (SQLException se) {
              log_bad.warning("Error");
            } finally {
              /* clean up database objects */
              try {
                if (rs != null) {
                  rs.close();
                }
              } catch (SQLException se) {
                log_bad.warning("Error closing rs");
              } finally {
                try {
                  if (statement != null) {
                    statement.close();
                  }
                } catch (SQLException se) {
                  log_bad.warning("Error closing statement");
                } finally {
                  try {
                    if (conn != null) {
                      conn.close();
                    }
                  } catch (SQLException se) {
                    log_bad.warning("Error closing conn");
                  }
                }
              }
            }
          }
        }
        break;
      default:
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        {
          java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
          /* FIX: Use a hardcoded number that won't cause underflow, overflow,
          divide by zero, or loss-of-precision issues */
          data = 2;
        }
        break;
    }

    switch (7) {
      case 7:
        {
          int result = 0;
          int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */
          /* FIX: Add a check to prevent an overflow from occurring */
          if (data <= (Integer.MAX_VALUE - valueToAdd)) {
            result = (data + valueToAdd);
            IO.writeLine("result: " + result);
          } else {
            IO.writeLine("Input value is too large to perform addition.");
          }
        }
        break;
      default:
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        {
          int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */
          /* POTENTIAL FLAW: if (data+valueToAdd) > MAX_VALUE, this will overflow */
          int result = (data + valueToAdd);
          IO.writeLine("result: " + result);
        }
        break;
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    /* We need to have one source outside of a for loop in order
    to prevent the Java compiler from generating an error because
    data is uninitialized */

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    for (int for_index_i = 0; for_index_i < 0; for_index_i++) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
      /* FIX: Use a hardcoded string */
      data = "foo";
    }

    for (int for_index_j = 0; for_index_j < 1; for_index_j++) {
      /* POTENTIAL FLAW: Input from file not verified */
      response.addHeader("Location", "/author.jsp?lang=" + data);
    }

    for (int for_index_k = 0; for_index_k < 0; for_index_k++) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
      /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
      data = URLEncoder.encode(data, "UTF-16");
      response.addHeader("Location", "/author.jsp?lang=" + data);
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    /* We need to have one source outside of a for loop in order
     * to prevent the Java compiler from generating an error because
     * data is uninitialized
     */

    data = ""; /* initialize data in case id is not in query string */

    /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
    {
      StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
      while (tokenizer.hasMoreTokens()) {
        String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
        if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
          data = token.substring(3); /* set data to "foo" */
          break; /* exit while loop */
        }
      }
    }

    for (int j = 0; j < 1; j++) {
      if (data != null) {
        String names[] = data.split("-");
        int successCount = 0;
        Connection dbConnection = null;
        Statement sqlStatement = null;
        try {
          dbConnection = IO.getDBConnection();
          sqlStatement = dbConnection.createStatement();
          for (int i = 0; i < names.length; i++) {
            /* POTENTIAL FLAW: data concatenated into SQL statement used in executeBatch(), which could result in SQL Injection */
            sqlStatement.addBatch(
                "update users set hitcount=hitcount+1 where name='" + names[i] + "'");
          }
          int resultsArray[] = sqlStatement.executeBatch();
          for (int i = 0; i < names.length; i++) {
            if (resultsArray[i] > 0) {
              successCount++;
            }
          }
          IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
        } finally {
          try {
            if (sqlStatement != null) {
              sqlStatement.close();
            }
          } catch (SQLException exceptSql) {
            IO.logger.log(Level.WARNING, "Error closing Statament", exceptSql);
          }

          try {
            if (dbConnection != null) {
              dbConnection.close();
            }
          } catch (SQLException exceptSql) {
            IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
          }
        }
      }
    }
  }
  /* goodB2G() - use badsource and goodsink*/
  private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    data = ""; /* initialize data in case id is not in query string */

    /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
    {
      StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
      while (tokenizer.hasMoreTokens()) {
        String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
        if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
          data = token.substring(3); /* set data to "foo" */
          break; /* exit while loop */
        }
      }
    }

    for (int k = 0; k < 1; k++) {
      if (data != null) {
        String names[] = data.split("-");
        int successCount = 0;
        Connection dbConnection = null;
        PreparedStatement sqlStatement = null;
        try {
          /* FIX: Use prepared statement and executeBatch (properly) */
          dbConnection = IO.getDBConnection();
          sqlStatement =
              dbConnection.prepareStatement("update users set hitcount=hitcount+1 where name=?");
          for (int i = 0; i < names.length; i++) {
            sqlStatement.setString(1, names[i]);
            sqlStatement.addBatch();
          }
          int resultsArray[] = sqlStatement.executeBatch();
          for (int i = 0; i < names.length; i++) {
            if (resultsArray[i] > 0) {
              successCount++;
            }
          }
          IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
        } finally {
          try {
            if (sqlStatement != null) {
              sqlStatement.close();
            }
          } catch (SQLException exceptSql) {
            IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
          }

          try {
            if (dbConnection != null) {
              dbConnection.close();
            }
          } catch (SQLException exceptSql) {
            IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
          }
        }
      }
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String dataCopy;
    {
      String data;

      data = ""; /* initialize data in case id is not in query string */

      /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
      {
        StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
        while (tokenizer.hasMoreTokens()) {
          String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
          if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
            data = token.substring(3); /* set data to "foo" */
            break; /* exit while loop */
          }
        }
      }

      dataCopy = data;
    }
    {
      String data = dataCopy;

      Connection dbConnection = null;
      Statement sqlStatement = null;
      ResultSet resultSet = null;

      try {
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.createStatement();

        /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
        resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");

        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }