public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* We need to have one source outside of a for loop in order to prevent the Java compiler from generating an error because data is uninitialized */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* parse the query string for value of 'id' */ String id_str = null; StringTokenizer st = new StringTokenizer(request.getQueryString(), "&"); while (st.hasMoreTokens()) { String token = st.nextToken(); int i = token.indexOf("="); if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) { id_str = token.substring(i + 1); break; } } if (id_str != null) { Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; try { int id = Integer.parseInt(id_str); conn = IO.getDBConnection(); statement = conn.prepareStatement("select * from pages where id=?"); /* FLAW: no check to see whether the user has privileges to view the data */ statement.setInt(1, id); rs = statement.executeQuery(); data = rs.toString(); } catch (SQLException se) { log_bad.warning("Error"); } finally { /* clean up database objects */ try { if (rs != null) { rs.close(); } } catch (SQLException se) { log_bad.warning("Error closing rs"); } finally { try { if (statement != null) { statement.close(); } } catch (SQLException se) { log_bad.warning("Error closing statement"); } finally { try { if (conn != null) { conn.close(); } } catch (SQLException se) { log_bad.warning("Error closing conn"); } } } } } for (int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } for (int for_index_j = 0; for_index_j < 1; for_index_j++) { /* POTENTIAL FLAW: Input from file not verified */ response.addHeader("Location", "/author.jsp?lang=" + data); } for (int for_index_k = 0; for_index_k < 0; for_index_k++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.addHeader("Location", "/author.jsp?lang=" + data); } }