private void saveToDb() {
Connection con = null;
PreparedStatement pstmt = null;
try {
con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(UPDATE_WARE);
System.out.println(UPDATE_WARE);
pstmt.setString(1, StringUtils.toChinese(this.Pname));
pstmt.setString(2, StringUtils.toChinese(this.Pmodel));
pstmt.setString(3, StringUtils.toChinese(this.Pcost));
pstmt.setString(4, StringUtils.toChinese(this.Pheft));
pstmt.setString(5, StringUtils.toChinese(this.Pfacturer));
pstmt.setString(6, StringUtils.toChinese(this.Pnote));
pstmt.setInt(7, this.Status);
pstmt.setInt(8, this.Id);
pstmt.executeUpdate();
} catch (SQLException sqle) {
System.err.println("错误位置: DbWare.java:saveToDb(): " + sqle);
sqle.printStackTrace();
} finally {
try {
pstmt.close();
} catch (Exception e) {
e.printStackTrace();
}
try {
con.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
public void save(Connection conn) throws SQLException {
boolean is_new = isNew();
String query =
(is_new
? ("insert into "
+ tableName()
+ " ("
+ recordIDColumnName()
+ ",mod_count,date_entered,date_modified,name,status,product) values (?,?,?,?,?,?,?)")
: ("update "
+ tableName()
+ " set mod_count = ?, date_entered = ?, "
+ "date_modified = ?, name = ?, status = ?, product = ? where "
+ recordIDColumnName()
+ " = ?"));
int idx = 1;
PreparedStatement ps = conn.prepareStatement(query);
if (is_new) {
ps.setInt(idx++, getId().intValue());
}
int new_mod_count = mod_count.intValue() + 1;
ps.setInt(idx++, new_mod_count);
ps.setTimestamp(idx++, date_entered);
ps.setTimestamp(idx++, date_modified); // ---TODO: set to current time
ps.setString(idx++, getName());
ps.setString(idx++, getStatus());
ps.setInt(idx++, getProduct().getId().intValue());
if (!is_new) {
ps.setInt(idx++, getId().intValue());
}
ps.executeUpdate();
ps.close();
// Only increment the mod_count if there was no exception during the save.
setModCount(new Integer(new_mod_count));
}
private void DELToDb() {
Connection con = null;
PreparedStatement pstmt = null;
try {
con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(Del_ware);
System.out.println(Del_ware);
pstmt.setInt(1, this.Status);
pstmt.setInt(2, this.Id);
pstmt.executeUpdate();
} catch (SQLException sqle) {
System.err.println("错误位置: DbShop.java:DELToDb(): " + sqle);
sqle.printStackTrace();
} finally {
try {
pstmt.close();
} catch (Exception e) {
e.printStackTrace();
}
try {
con.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
private void insertIntoDb() {
Connection con = null;
PreparedStatement pstmt = null;
try {
con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(INSERT_WARE);
pstmt.setInt(1, this.Id);
pstmt.setString(2, StringUtils.toChinese(this.Pname));
pstmt.setString(3, StringUtils.toChinese(this.Pmodel));
pstmt.setString(4, StringUtils.toChinese(this.Pcost));
pstmt.setString(5, StringUtils.toChinese(this.Pheft));
pstmt.setString(6, StringUtils.toChinese(this.Pfacturer));
pstmt.setString(7, StringUtils.toChinese(this.Pnote));
pstmt.setString(8, StringUtils.toChinese(this.Createdate));
pstmt.setInt(9, this.Status);
pstmt.executeUpdate();
} catch (SQLException sqle) {
System.err.println("错误位置: Dbware:insertIntoDb()-" + sqle);
sqle.printStackTrace();
} finally {
try {
pstmt.close();
} catch (Exception e) {
e.printStackTrace();
}
try {
con.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
private void insertLog(HttpServletRequest req, Connection connection) throws SQLException {
try (PreparedStatement stmt =
connection.prepareStatement("INSERT INTO LOGGING (date,ip,url) VALUES (?,?,?)")) {
stmt.setTimestamp(1, new Timestamp((new java.util.Date()).getTime()));
stmt.setString(2, req.getRemoteAddr());
stmt.setString(3, req.getRequestURI());
stmt.executeUpdate();
}
}
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
System.out.println("Clearing changes");
Connection c = null;
try {
DriverManager.registerDriver(new AppEngineDriver());
c = DriverManager.getConnection("jdbc:google:rdbms://trmrphdn:veebirakendused/andmebaas");
String statement = "delete from kandidaat where nimi = 'Tandi Kaat'";
PreparedStatement stmt = c.prepareStatement(statement);
stmt.executeUpdate();
} catch (SQLException e) {
e.printStackTrace();
}
}
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
try {
Class.forName("com.mysql.jdbc.Driver").newInstance();
Connection con =
DriverManager.getConnection(Utility.connection, Utility.username, Utility.password);
int user_id = Integer.parseInt(request.getParameter("user_id"));
int question_id = Integer.parseInt(request.getParameter("question_id"));
int option = Integer.parseInt(request.getParameter("option"));
System.out.println("uid: " + user_id + "\nquestion: " + question_id + "\noption: " + option);
String str1 = "INSERT INTO VOTES(USER_ID, QUESTION_ID,OPTION_VOTED) VALUES (?,?,?)";
PreparedStatement prep1 = con.prepareStatement(str1);
prep1.setInt(1, user_id);
prep1.setInt(3, option);
prep1.setInt(2, question_id);
prep1.execute();
String str2 = "SELECT OPTION_" + option + " FROM ARCHIVE_VOTES WHERE QUESTION_ID=?";
PreparedStatement prep2 = con.prepareStatement(str2);
prep2.setInt(1, question_id);
int count = 0;
ResultSet rs2 = prep2.executeQuery();
if (rs2.next()) {
count = rs2.getInt("OPTION_" + option);
}
count++;
String str3 = "UPDATE ARCHIVE_VOTES SET OPTION_" + option + "=? WHERE QUESTION_ID=?";
PreparedStatement prep3 = con.prepareStatement(str3);
prep3.setInt(1, count);
prep3.setInt(2, question_id);
prep3.executeUpdate();
out.print("You Vote has been recorded! Thank you!");
System.out.println(
"Voted for question " + question_id + ", by user " + user_id + ", for option " + option);
} catch (Exception e) {
e.printStackTrace();
} finally {
out.close();
}
}
public void service(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
try {
String username = request.getParameter("t1");
String password = request.getParameter("t2");
String email = request.getParameter("t4");
String college = request.getParameter("t5");
String phone = request.getParameter("t6");
String country = request.getParameter("t7");
String languages = request.getParameter("t8");
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con =
DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe", "system", "tiger");
PreparedStatement pst = con.prepareStatement("insert into stu_tab values(?,?,?,?,?,?,?)");
pst.setString(1, username);
pst.setString(2, password);
pst.setString(3, email);
pst.setString(4, college);
pst.setString(5, phone);
pst.setString(6, country);
pst.setString(7, languages);
int i = pst.executeUpdate();
if (i != 0) {
out.println("<html><body align=center bgcolor=#C0C0C0 text=black>");
out.println("<h3>!.. Registration Successful !..</h3>");
out.println(
"<a href=Slogin1.html style=text-decoration:none>click here</a> to go back to login page");
out.println("</body></html>");
} else {
out.println("<html><body align=center bgcolor=#C0C0C0 text=black>");
out.println("<h3>!.. Registration Failed !..</h3>");
out.println(
"<a href=Slogin1.html style=text-decoration:none>click here</a> to go back to login page");
out.println("</body></html>");
}
} catch (Exception e) {
out.println(e);
}
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data =
(new CWE89_SQL_Injection__getQueryString_Servlet_executeUpdate_61b())
.goodB2GSource(request, response);
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeUpdate (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
int rowCount = sqlStatement.executeUpdate();
IO.writeLine("Updated " + rowCount + " rows successfully.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
public void doGet(HttpServletRequest request, HttpServletResponse response) {
try {
String comment = request.getParameter("comment");
int answerId = Integer.parseInt(request.getParameter("answer_id"));
Connection connection = GlobalResources.getConnection();
Statement s;
s = connection.createStatement();
PreparedStatement preparedStatement;
PreparedStatement preparedStatement1;
preparedStatement =
connection.prepareStatement("insert into comment(comment,answer_id) values(?,?)");
preparedStatement.setString(1, comment);
preparedStatement.setInt(2, answerId);
preparedStatement.executeUpdate();
preparedStatement.close();
connection.close();
RequestDispatcher requestDispatcher;
requestDispatcher = request.getRequestDispatcher("/studenthome.jsp");
requestDispatcher.forward(request, response);
} catch (Exception e) {
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// I use "session" in order to throws the object named user bean.
HttpSession session = request.getSession(true);
response.setContentType("text/html");
request.setCharacterEncoding("UTF-8");
UserBean ub = (UserBean) session.getAttribute("user");
if (ub == null) {
String haveLogin = "******";
session.setAttribute("haveLogin", haveLogin);
response.sendRedirect("cart");
} else {
String mID = ub.getmID();
String iID = (String) request.getParameter("iID");
// String idx = (String)request.getParameter("idx");
Connection conn = null;
try {
// Getting the connection from database.
Class.forName("com.mysql.jdbc.Driver");
/*conn = DriverManager
.getConnection("jdbc:mysql://localhost/se?"
+ "user=root");*/
conn =
DriverManager.getConnection(
"jdbc:mysql://localhost/user_register?"
+ "user=sqluser&password=sqluserpw&useUnicode=true&characterEncoding=UTF-8");
String sql = "delete from cart_item_mapping where mID=? and iID = ?";
PreparedStatement pst = conn.prepareStatement(sql);
// Using preparedstatement by set the parameter related to "?" symbol.
pst.setString(1, mID);
pst.setString(2, iID);
pst.executeUpdate();
pst.close();
response.sendRedirect("ShowCartController");
} catch (Exception e) {
e.printStackTrace();
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(Object data_obj) throws Throwable {
String data = (String) data_obj;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement =
conn_tmp2.prepareStatement("insert into users (status) values ('updated') where name=?");
sqlstatement.setString(1, data);
int iResult = sqlstatement.executeUpdate();
IO.writeString("Updated " + iResult + " rows successfully.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
protected static void clear() {
Connection con = null;
PreparedStatement pstmt = null;
try {
con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(CLEAR_WARE);
pstmt.executeUpdate();
} catch (SQLException sqle) {
System.err.println("SQLException in DbTChatRooms.java:clearTChatRooms(): " + sqle);
sqle.printStackTrace();
} finally {
try {
pstmt.close();
} catch (Exception e) {
e.printStackTrace();
}
try {
con.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2GSink() throws Throwable {
String data = CWE89_SQL_Injection__Environment_executeUpdate_68a.data;
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeUpdate (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
int rowCount = sqlStatement.executeUpdate();
IO.writeLine("Updated " + rowCount + " rows successfully.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
public void _jspService(HttpServletRequest request, HttpServletResponse response)
throws java.io.IOException, ServletException {
PageContext pageContext = null;
HttpSession session = null;
ServletContext application = null;
ServletConfig config = null;
JspWriter out = null;
Object page = this;
JspWriter _jspx_out = null;
PageContext _jspx_page_context = null;
try {
response.setContentType("text/html");
pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true);
_jspx_page_context = pageContext;
application = pageContext.getServletContext();
config = pageContext.getServletConfig();
session = pageContext.getSession();
out = pageContext.getOut();
_jspx_out = out;
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("<!--%@ page errorPage=\"/error.jsp\" %-->\n");
response.setHeader("Pragma", "no-cache"); // HTTP 1.0
response.setDateHeader("Expires", 0);
response.setHeader("Cache-Control", "no-cache"); // HTTP 1.1
String _adminid = "";
String _adminname = "";
String _admintype = "";
String _admingroup = "";
String _approval = "";
String _adminclass = "";
String _adminmail = "";
try {
_adminid = (String) session.getAttribute("adminid");
if (_adminid == null || _adminid.length() == 0 || _adminid.equals("null")) {
response.sendRedirect("/admin/login_first.html");
return;
}
_adminname = (String) session.getAttribute("adminname");
_admintype = (String) session.getAttribute("admintype");
_admingroup = (String) session.getAttribute("admingroup");
_approval = (String) session.getAttribute("approval");
_adminclass = (String) session.getAttribute("adminclass");
_adminmail = (String) session.getAttribute("admin_email");
// session.setMaxInactiveInterval(60*60);
} catch (Exception e) {
response.sendRedirect("/admin/login_first.html");
return;
}
out.write('\n');
out.write('\n');
out.write('\n');
String password = request.getParameter("password");
String fromURL = request.getParameter("fromURL");
String oldPassword = "";
String sql = "";
int iCnt = 0;
boolean isSucceeded = false;
String strMsg = "";
Connection conn = null;
MatrixDataSet matrix = null;
DataProcess dataProcess = null;
PreparedStatement pstmt = null;
String targetUrl = "";
try {
if (password.equals("1111")) {
throw new UserDefinedException(
"The new password is not acceptable. Change your password.");
}
Context ic = new InitialContext();
DataSource ds = (DataSource) ic.lookup("java:comp/env/jdbc/scm");
conn = ds.getConnection();
matrix = new dbconn.MatrixDataSet();
dataProcess = new DataProcess();
sql =
" select password " + " from admin_01t " + " where adminid = '" + _adminid + "' ";
iCnt = dataProcess.RetrieveData(sql, matrix, conn);
if (iCnt > 0) {
oldPassword = matrix.getRowData(0).getData(0);
} else {
throw new UserDefinedException("Can't find User Information.");
}
if (password.equals(oldPassword)) {
throw new UserDefinedException(
"The new password is not acceptable. Change your password.");
}
// update ó¸®...
int idx = 0;
conn.setAutoCommit(false);
sql =
" update admin_01t "
+ " set password = ?, pw_date = sysdate() "
+ " where adminid = ? ";
pstmt = conn.prepareStatement(sql);
pstmt.setString(++idx, password);
pstmt.setString(++idx, _adminid);
iCnt = pstmt.executeUpdate();
if (iCnt != 1) {
throw new UserDefinedException("Password update failed.");
}
conn.commit();
isSucceeded = true;
} catch (UserDefinedException ue) {
try {
conn.rollback();
} catch (Exception ex) {
}
strMsg = ue.getMessage();
} catch (Exception e) {
try {
conn.rollback();
} catch (Exception ex) {
}
System.out.println("Exception /admin/resetAdminPasswd : " + e.getMessage());
throw e;
} finally {
if (pstmt != null) {
try {
pstmt.close();
} catch (Exception e) {
}
}
if (conn != null) {
try {
conn.setAutoCommit(true);
} catch (Exception e) {
}
conn.close();
}
}
// °á°ú ¸Þ½ÃÁö ó¸®
if (isSucceeded) {
// where to go?
if (fromURL.equals("menu")) {
targetUrl = "";
} else {
targetUrl = "/admin/index2.jsp";
}
strMsg = "The data are successfully processed.";
} else {
strMsg = "The operation failed.\\n" + strMsg;
targetUrl = "/admin/resetAdminPasswdForm.jsp";
}
out.write("\n");
out.write("<html>\n");
out.write("<head>\n");
out.write("<title></title>\n");
out.write("<link href=\"/common/css/style.css\" rel=\"stylesheet\" type=\"text/css\">\n");
out.write("</head>\n");
out.write("<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'>\n");
out.write("<form name=\"form1\" method=\"post\" action=\"");
out.print(targetUrl);
out.write("\">\n");
out.write("<input type='hidden' name='fromURL' value='");
out.print(fromURL);
out.write("'>\n");
out.write("</form>\n");
out.write("<script language=\"javascript\">\n");
if (targetUrl.length() > 0) {
out.write("\n");
out.write(" alert('");
out.print(strMsg);
out.write("');\n");
out.write(" document.form1.submit();\n");
}
out.write("\n");
out.write("</script>\n");
out.write("<table width='840' border='0' cellspacing='0' cellpadding='0'><tr><td>\n");
out.write("\n");
out.write("<table width='99%' border='0' cellspacing='0' cellpadding='0'>\n");
out.write("<tr>\n");
out.write(" <td height='15' colspan='2'></td>\n");
out.write("</tr>\n");
out.write("<tr>\n");
out.write(" <td width='3%'><img src='/img/title_icon.gif'></td>\n");
out.write(" <td width='*' class='left_title'>Password Change</td>\n");
out.write("</tr>\n");
out.write("<tr>\n");
out.write(" <td width='100%' height='2' colspan='2'><hr width='100%'></td>\n");
out.write("</tr>\n");
out.write("<tr>\n");
out.write(" <td height='10' colspan='2'></td>\n");
out.write("</tr>\n");
out.write("</table>\n");
out.write("\n");
out.write("<table width='90%' border='0' cellspacing='0' cellpadding='0' align='center'>\n");
out.write("<tr>\n");
out.write(" <td width='100%' align='center'><img border=\"0\" src=\"/img/pass.jpg\">\n");
out.write(" <br><br>\n");
out.write(" <b>The Password has been changed successfully.</b></td>\n");
out.write("</tr>\n");
out.write("</table>\n");
out.println(CopyRightLogo());
out.write("\n");
out.write("</tr></td></table>\n");
out.write("</body>\n");
out.write("</html>");
} catch (Throwable t) {
if (!(t instanceof SkipPageException)) {
out = _jspx_out;
if (out != null && out.getBufferSize() != 0)
try {
out.clearBuffer();
} catch (java.io.IOException e) {
}
if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
}
} finally {
_jspxFactory.releasePageContext(_jspx_page_context);
}
}
public void _jspService(HttpServletRequest request, HttpServletResponse response)
throws java.io.IOException, ServletException {
PageContext pageContext = null;
HttpSession session = null;
ServletContext application = null;
ServletConfig config = null;
JspWriter out = null;
Object page = this;
JspWriter _jspx_out = null;
PageContext _jspx_page_context = null;
try {
response.setContentType("text/html;charset=UTF-8");
pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true);
_jspx_page_context = pageContext;
application = pageContext.getServletContext();
config = pageContext.getServletConfig();
session = pageContext.getSession();
out = pageContext.getOut();
_jspx_out = out;
_jspx_resourceInjector =
(org.glassfish.jsp.api.ResourceInjector)
application.getAttribute("com.sun.appserv.jsp.resource.injector");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("\n");
out.write("<!DOCTYPE html>\n");
out.write("<html>\n");
out.write(" <head>\n");
out.write(
" <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n");
out.write(" <title>Fine</title>\n");
out.write(" <link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\"> \n");
out.write("\n");
out.write(" </head>\n");
out.write(" <body style = \"background-image: url(lib2.jpg)\"> \n");
out.write(" <center>\n");
out.write(" <h1>Update Fines information</h1>\n");
out.write(" <form name=\"Update\" action=\"Fines_upd.jsp\">\n");
out.write(" <table border=\"0\" width=\"3\" cellspacing=\"2\">\n");
out.write(" <thead>\n");
out.write(" <tr>\n");
out.write(" <th>Update Fines</th>\n");
out.write(" <th></th>\n");
out.write(" </tr>\n");
out.write(" </thead>\n");
out.write(" <tbody>\n");
out.write(" <tr>\n");
out.write(" <td>Update Fine table with todays Data</td>\n");
out.write(
" <td><input type=\"submit\" value=\"Update / View Fines\" name=\"SUBMIT\"/></td>\n");
out.write(" </tr>\n");
out.write(" </tbody>\n");
out.write(" </table> \n");
out.write(" </form>\n");
out.write(" <h1>Check your Fines Here</h1>\n");
out.write(" <form name=\"Fines\" action=\"Fines.jsp\">\n");
out.write(" <table border=\"0\" width=\"3\" cellspacing=\"2\">\n");
out.write(" <thead>\n");
out.write(" <tr>\n");
out.write(" <th>Get Fine Details</th>\n");
out.write(" <th></th>\n");
out.write(" </tr>\n");
out.write(" </thead>\n");
out.write(" <tbody>\n");
out.write(" <tr>\n");
out.write(" <td>Card No</td>\n");
out.write(
" <td><input type=\"text\" name=\"Card_no\" value=\"\"/></td>\n");
out.write(" </tr>\n");
out.write(" <tr>\n");
out.write(" <td></td>\n");
out.write(
" <td><input type=\"submit\" value=\"Get Fines\" name=\"SUBMIT\" /></td>\n");
out.write(" </tr>\n");
out.write(" </tbody>\n");
out.write(" </table> \n");
out.write(" ");
Connection con = null;
String[] selected_Checkboxes = request.getParameterValues("chk");
PreparedStatement pst = null;
ResultSet result = null;
ResultSet resUpd = null;
con =
DriverManager.getConnection(
"jdbc:mysql://localhost:3306/lbms_db?zeroDateTimeBehavior=convertToNull",
"root",
"admin12");
String Card_no = request.getParameter("Card_no");
String button = null;
Date dt = new Date();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy/MM/dd");
String current_date = sdf.format(dt);
if (Card_no != null && selected_Checkboxes == null) {
String selSql =
"SELECT l.card_no, SUM(f.fine_amt) AS total_fine, f.paid "
+ "FROM book_loans l, fines f "
+ "WHERE l.loan_id = f.loan_id AND "
+ "l.card_no = "
+ Card_no
+ " "
+ "GROUP BY l.card_no";
pst = con.prepareStatement(selSql);
result = pst.executeQuery();
String box = null;
String paid;
String pay;
Boolean chk = false;
out.println("<table>");
pay = "<form action='Fines.jsp'>";
out.println(pay);
out.println("<tr>");
out.println("<th>Card No</th>");
out.println("<th>Fine_Amt</th>");
out.println("<th>Paid OR Not</th>");
out.println("</tr>");
while (result.next()) {
chk = true;
paid = "No";
if (result.getBoolean("f.paid")) {
paid = "Yes";
}
out.println("<tr>");
out.println(
"<td>"
+ result.getInt("l.card_no")
+ "</td><td>"
+ result.getString("total_fine")
+ "</td><td>"
+ paid
+ "</td>");
out.print("<td>");
box = "<input name='chk' value=" + result.getInt("l.card_no") + " type='checkbox'>";
out.print(box);
out.print("</td>");
out.print("</tr>");
}
if (chk == true) {
out.println("<tr>");
out.print("<td>");
button = "<input type='submit' value='Pay Fine' name='Pay'>";
out.print(button);
out.print("</td>");
out.println("</tr>");
} else {
out.write(
"<dialog open> <font color = 'green'>No Fine information. You owe nothing! Thank You</font> </dialog>");
}
out.println("</form>");
out.println("</table>");
} else if (selected_Checkboxes != null) {
String sqlLoan = null;
ResultSet resultLoan = null;
String sqlUpdFine = null;
PreparedStatement pstUpd = null;
String sqlBook = null;
ResultSet rsltBook = null;
char chkouts = 'N';
int length_chk = selected_Checkboxes.length;
for (int i = 0; i < length_chk; i++) {
// Check whether the Book is returned before paying the fine.
sqlBook =
"SELECT COUNT(loan_id) AS no_chkouts FROM book_loans WHERE card_no = "
+ selected_Checkboxes[i]
+ " AND date_in = '0000-00-00' AND due_date < "
+ current_date
+ "";
pst = con.prepareStatement(sqlBook);
rsltBook = pst.executeQuery();
while (rsltBook.next()) {
if (rsltBook.getInt("no_chkouts") > 0) {
chkouts = 'Y';
}
}
if (chkouts == 'Y') {
out.write(
"<dialog open> <font color = 'red'>You have outstanding due checkouts!. Please return the books and then Pay the fine</font> </dialog>");
}
// Get the corresponding loan_Ids for each customer from Fines table
sqlLoan =
"SELECT loan_id FROM book_loans WHERE card_no = "
+ selected_Checkboxes[i]
+ " AND date_in IS NOT NULL AND due_date < date_in";
pst = con.prepareStatement(sqlLoan);
resultLoan = pst.executeQuery();
while (resultLoan.next()) {
sqlUpdFine =
"UPDATE fines SET paid = true WHERE loan_id = " + resultLoan.getInt("loan_id") + "";
pstUpd = con.prepareStatement(sqlUpdFine);
pstUpd.executeUpdate();
out.println("Payment Updated Successfully");
}
}
}
out.write("\n");
out.write(" </form> \n");
out.write(" </center>\n");
out.write("</body>\n");
out.write("</html>\n");
} catch (Throwable t) {
if (!(t instanceof SkipPageException)) {
out = _jspx_out;
if (out != null && out.getBufferSize() != 0) out.clearBuffer();
if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
else throw new ServletException(t);
}
} finally {
_jspxFactory.releasePageContext(_jspx_page_context);
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (5 == 5) {
data = ""; /* Initialize data */
{
File file = new File("C:\\data.txt");
FileInputStream streamFileInput = null;
InputStreamReader readerInputStream = null;
BufferedReader readerBuffered = null;
try {
/* read string from file into data */
streamFileInput = new FileInputStream(file);
readerInputStream = new InputStreamReader(streamFileInput, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from a file */
/* This will be reading the first "line" of the file, which
* could be very long if there are little or no newlines in the file */
data = readerBuffered.readLine();
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading objects */
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
try {
if (streamFileInput != null) {
streamFileInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (5 == 5) {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeUpdate (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
int rowCount = sqlStatement.executeUpdate();
IO.writeLine("Updated " + rowCount + " rows successfully.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}