Пример #1
0
  /**
   * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
   *
   * @param request servlet request
   * @param response servlet response
   * @throws ServletException if a servlet-specific error occurs
   * @throws IOException if an I/O error occurs
   */
  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    Statement stmt;
    ResultSet rs;
    Connection con = null;

    try {
      Class.forName("com.mysql.jdbc.Driver");
      String connectionUrl = "jdbc:mysql://localhost/myflickr?" + "user=root&password=123456";
      con = DriverManager.getConnection(connectionUrl);

      if (con != null) {
        System.out.println("connected to mysql");
      }
    } catch (SQLException e) {
      System.out.println("SQL Exception: " + e.toString());
    } catch (ClassNotFoundException cE) {
      System.out.println("Class Not Found Exception: " + cE.toString());
    }

    try {
      stmt = con.createStatement();

      System.out.println("SELECT * FROM flickrusers WHERE name='" + username + "'");
      rs = stmt.executeQuery("SELECT * FROM flickrusers WHERE name='" + username + "'");

      while (rs.next()) {

        if (rs.getObject(1).toString().equals(username)) {

          out.println("<h1>To username pou epileksate uparxei hdh</h1>");
          out.println("<a href=\"project3.html\">parakalw dokimaste kapoio allo.</a>");

          stmt.close();
          rs.close();
          return;
        }
      }
      stmt.close();
      rs.close();

      stmt = con.createStatement();

      if (!stmt.execute("INSERT INTO flickrusers VALUES('" + username + "', '" + password + "')")) {
        out.println("<h1>Your registration is completed  " + username + "</h1>");
        out.println("<a href=\"index.jsp\">go to the login menu</a>");
        registerListener.Register(username);
      } else {
        out.println("<h1>To username pou epileksate uparxei hdh</h1>");
        out.println("<a href=\"project3.html\">Register</a>");
      }
    } catch (SQLException e) {
      throw new ServletException("Servlet Could not display records.", e);
    }
  }
Пример #2
0
  /**
   * Determine whether or a not a User with the supplied researcherID exists
   *
   * @param username The researcherID to test
   * @return true if the user exists, false if not
   * @throws SQLException if a database error was encountered
   */
  public static boolean userExists(int researcherID) throws SQLException {
    boolean returnVal = false;

    // Get our connection to the database.
    Connection conn = DBConnectionManager.getConnection("yrc");
    PreparedStatement stmt = null;
    ResultSet rs = null;

    try {
      stmt = conn.prepareStatement("SELECT researcherID FROM tblUsers WHERE researcherID = ?");
      stmt.setInt(1, researcherID);

      rs = stmt.executeQuery();

      // No rows returned.
      if (!rs.next()) {
        returnVal = false;
      } else {
        returnVal = true;
      }

      rs.close();
      rs = null;

      stmt.close();
      stmt = null;

      conn.close();
      conn = null;
    } finally {

      // Always make sure result sets and statements are closed,
      // and the connection is returned to the pool
      if (rs != null) {
        try {
          rs.close();
        } catch (SQLException e) {;
        }
        rs = null;
      }
      if (stmt != null) {
        try {
          stmt.close();
        } catch (SQLException e) {;
        }
        stmt = null;
      }
      if (conn != null) {
        try {
          conn.close();
        } catch (SQLException e) {;
        }
        conn = null;
      }
    }

    return returnVal;
  }
Пример #3
0
  public String checkValidLogin(String myUserName, String myPW) {

    try {
      Class.forName(javaSQLDriverPath);
      Connection conn =
          (Connection) DriverManager.getConnection(ConnectionPath, ConnectionUser, ConnectionPW);
      Statement st = conn.createStatement();
      String query = "Select * from User";

      ResultSet rs = st.executeQuery(query);
      while (rs.next()) {
        // return rs.getString("Username");
        if (myUserName.equals(rs.getString("Username"))) {
          if (myPW.equals(rs.getString("Password"))) {
            setUserVariables(myUserName);
            return "success";
          } else {
            return "wrongPassword";
          }
        }
      }

      rs.close();
      st.close();
      conn.close();

      return "userNotFound";
    } catch (Exception e) {

      return e.getMessage();
    }
  }
  /* goodB2G1() - use badsource and goodsink by changing second IO.staticTrue to IO.staticFalse */
  private void goodB2G1() throws Throwable {
    String data;
    if (IO.staticTrue) {
      /* get environment variable ADD */
      /* POTENTIAL FLAW: Read data from an environment variable */
      data = System.getenv("ADD");
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    }

    if (IO.staticFalse) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
      IO.writeLine("Benign, fixed string");
    } else {

      Connection dbConnection = null;
      PreparedStatement sqlStatement = null;
      ResultSet resultSet = null;

      try {
        /* FIX: Use prepared statement and executeQuery (properly) */
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
        sqlStatement.setString(1, data);

        resultSet = sqlStatement.executeQuery();

        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
  /* goodG2B() - use goodsource and badsink */
  private void goodG2B() throws Throwable {
    String data_copy;
    {
      String data;

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";

      data_copy = data;
    }
    {
      String data = data_copy;

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      Statement sqlstatement = null;
      ResultSet sqlrs = null;

      try {
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.createStatement();

        /* POTENTIAL FLAW: take user input and place into dynamic sql query */
        sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");

        IO.writeString(sqlrs.toString());
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlrs != null) {
            sqlrs.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlrs");
        } finally {
          try {
            if (sqlstatement != null) {
              sqlstatement.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing sqlstatement");
          } finally {
            try {
              if (conn_tmp2 != null) {
                conn_tmp2.close();
              }
            } catch (SQLException e) {
              log2.warning("Error closing conn_tmp2");
            }
          }
        }
      }
    }
  }
  /* goodG2B() - use goodsource and badsink */
  private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String dataCopy;
    {
      String data;

      /* FIX: Use a hardcoded string */
      data = "foo";

      dataCopy = data;
    }
    {
      String data = dataCopy;

      Connection dbConnection = null;
      Statement sqlStatement = null;
      ResultSet resultSet = null;

      try {
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.createStatement();

        /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
        resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");

        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
 public ActionForward execute(
     ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res)
     throws Exception {
   ServiceDataForm obj = (ServiceDataForm) form;
   String serviceId = obj.getServiceId();
   CalculateService obj2 = new CalculateService();
   obj2.calculate(serviceId);
   Connection con = null;
   Class.forName(ConnectionStats.DRIVER);
   String url = ConnectionStats.DB_URL;
   String usr = ConnectionStats.DB_USER;
   String pwd = ConnectionStats.DB_PASSWORD;
   con = DriverManager.getConnection(url, usr, pwd);
   Statement stmt = con.createStatement();
   ResultSet rs = null;
   rs = stmt.executeQuery("select * from " + serviceId + "_main");
   ResultSetMetaData rsmd = rs.getMetaData();
   int col = rsmd.getColumnCount();
   String[] mainHeader = new String[col];
   for (int i = 0; i < col; i++) {
     mainHeader[i] = rsmd.getColumnLabel(i + 1);
   }
   ArrayList<String[]> serviceDataMain = new ArrayList<String[]>();
   while (rs.next()) {
     String[] str = new String[col];
     for (int i = 0; i < col; i++) {
       str[i] = rs.getString(i + 1);
     }
     serviceDataMain.add(str);
   }
   req.setAttribute("mainHeader", mainHeader);
   req.setAttribute("serviceDataMain", serviceDataMain);
   rs = stmt.executeQuery("select * from " + serviceId + "_tbl");
   rsmd = rs.getMetaData();
   col = rsmd.getColumnCount();
   String[] tblHeader = new String[col];
   for (int i = 0; i < col; i++) {
     tblHeader[i] = rsmd.getColumnLabel(i + 1);
   }
   ArrayList<String[]> serviceDatatbl = new ArrayList<String[]>();
   while (rs.next()) {
     String[] str = new String[col];
     for (int i = 0; i < col; i++) {
       str[i] = rs.getString(i + 1);
     }
     serviceDatatbl.add(str);
   }
   req.setAttribute("tblHeader", tblHeader);
   req.setAttribute("serviceDatatbl", serviceDatatbl);
   rs.close();
   con.close();
   return mapping.findForward("success");
 }
  /* goodG2B1() - use goodsource and badsink by changing first IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
  private void goodG2B1() throws Throwable {
    String data;
    if (IO.STATIC_FINAL_FIVE != 5) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    } else {

      /* FIX: Use a hardcoded string */
      data = "foo";
    }

    if (IO.STATIC_FINAL_FIVE == 5) {
      Connection dbConnection = null;
      Statement sqlStatement = null;
      ResultSet resultSet = null;
      try {
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.createStatement();
        /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
        resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
  public void bad() throws Throwable {
    String data;
    if (IO.staticTrue) {
      /* get environment variable ADD */
      /* POTENTIAL FLAW: Read data from an environment variable */
      data = System.getenv("ADD");
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    }

    if (IO.staticTrue) {
      Connection dbConnection = null;
      Statement sqlStatement = null;
      ResultSet resultSet = null;
      try {
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.createStatement();
        /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
        resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
  /* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
  public void goodB2G1Sink(String data) throws Throwable {
    if (CWE89_SQL_Injection__connect_tcp_executeQuery_22a.goodB2G1PublicStatic) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run
       * but ensure data is inititialized before the Sink to avoid compiler errors */
      data = null;
    } else {

      Connection dbConnection = null;
      PreparedStatement sqlStatement = null;
      ResultSet resultSet = null;

      try {
        /* FIX: Use prepared statement and executeQuery (properly) */
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
        sqlStatement.setString(1, data);

        resultSet = sqlStatement.executeQuery();

        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
  private void goodB2G1Sink(String data) throws Throwable {
    if (goodB2G1Private) {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
      IO.writeLine("Benign, fixed string");
    } else {

      Connection dbConnection = null;
      PreparedStatement sqlStatement = null;
      ResultSet resultSet = null;

      try {
        /* FIX: Use prepared statement and executeQuery (properly) */
        dbConnection = IO.getDBConnection();
        sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
        sqlStatement.setString(1, data);

        resultSet = sqlStatement.executeQuery();

        IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
      } finally {
        try {
          if (resultSet != null) {
            resultSet.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
        }

        try {
          if (sqlStatement != null) {
            sqlStatement.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
        }

        try {
          if (dbConnection != null) {
            dbConnection.close();
          }
        } catch (SQLException exceptSql) {
          IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
        }
      }
    }
  }
Пример #12
0
  @Override
  protected void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    // get a connection
    ConnectionPool pool = ConnectionPool.getInstance();
    Connection connection = pool.getConnection();

    String sqlStatement = request.getParameter("sqlStatement");
    String sqlResult = "";
    try {
      // create a statement
      Statement statement = connection.createStatement();

      // parse the SQL string
      sqlStatement = sqlStatement.trim();
      if (sqlStatement.length() >= 6) {
        String sqlType = sqlStatement.substring(0, 6);
        if (sqlType.equalsIgnoreCase("select")) {
          // create the HTML for the result set
          ResultSet resultSet = statement.executeQuery(sqlStatement);
          sqlResult = SQLUtil.getHtmlTable(resultSet);
          resultSet.close();
        } else {
          int i = statement.executeUpdate(sqlStatement);
          if (i == 0) {
            sqlResult = "<p>The statement executed successfully.</p>";
          } else { // an INSERT, UPDATE, or DELETE statement
            sqlResult = "<p>The statement executed successfully.<br>" + i + " row(s) affected.</p>";
          }
        }
      }
      statement.close();
      connection.close();
    } catch (SQLException e) {
      sqlResult = "<p>Error executing the SQL statement: <br>" + e.getMessage() + "</p>";
    } finally {
      pool.freeConnection(connection);
    }

    HttpSession session = request.getSession();
    session.setAttribute("sqlResult", sqlResult);
    session.setAttribute("sqlStatement", sqlStatement);

    String url = "/index.jsp";
    getServletContext().getRequestDispatcher(url).forward(request, response);
  }
  /* goodB2G() - use badsource and goodsink */
  public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response)
      throws Throwable {

    Logger log2 = Logger.getLogger("local-logger");

    Connection conn_tmp2 = null;
    PreparedStatement sqlstatement = null;
    ResultSet sqlrs = null;

    try {
      /* FIX: use prepared sqlstatement */
      conn_tmp2 = IO.getDBConnection();
      sqlstatement = conn_tmp2.prepareStatement("select * from users where name=?");
      sqlstatement.setString(1, data);

      sqlrs = sqlstatement.executeQuery();

      IO.writeString(sqlrs.toString());
    } catch (SQLException se) {
      log2.warning("Error getting database connection");
    } finally {
      try {
        if (sqlrs != null) {
          sqlrs.close();
        }
      } catch (SQLException e) {
        log2.warning("Error closing sqlrs");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    }
  }
  /* goodG2B() - use goodsource and badsink */
  public void goodG2B_sink(String data, HttpServletRequest request, HttpServletResponse response)
      throws Throwable {

    Logger log2 = Logger.getLogger("local-logger");

    Connection conn_tmp2 = null;
    Statement sqlstatement = null;
    ResultSet sqlrs = null;

    try {
      conn_tmp2 = IO.getDBConnection();
      sqlstatement = conn_tmp2.createStatement();

      /* POTENTIAL FLAW: take user input and place into dynamic sql query */
      sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");

      IO.writeString(sqlrs.toString());
    } catch (SQLException se) {
      log2.warning("Error getting database connection");
    } finally {
      try {
        if (sqlrs != null) {
          sqlrs.close();
        }
      } catch (SQLException e) {
        log2.warning("Error closing sqlrs");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    }
  }
  /* goodB2G() - use BadSource and GoodSink */
  public void goodB2GSink(HashMap<Integer, String> dataHashMap) throws Throwable {
    String data = dataHashMap.get(2);

    Connection dbConnection = null;
    PreparedStatement sqlStatement = null;
    ResultSet resultSet = null;

    try {
      /* FIX: Use prepared statement and executeQuery (properly) */
      dbConnection = IO.getDBConnection();
      sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
      sqlStatement.setString(1, data);

      resultSet = sqlStatement.executeQuery();

      IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (resultSet != null) {
          resultSet.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
      }

      try {
        if (sqlStatement != null) {
          sqlStatement.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
      }

      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
  /* goodG2B() - use GoodSource and BadSink */
  public void goodG2BSink(HashMap<Integer, String> dataHashMap) throws Throwable {
    String data = dataHashMap.get(2);

    Connection dbConnection = null;
    Statement sqlStatement = null;
    ResultSet resultSet = null;

    try {
      dbConnection = IO.getDBConnection();
      sqlStatement = dbConnection.createStatement();

      /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
      resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");

      IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
    } catch (SQLException exceptSql) {
      IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
    } finally {
      try {
        if (resultSet != null) {
          resultSet.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
      }

      try {
        if (sqlStatement != null) {
          sqlStatement.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
      }

      try {
        if (dbConnection != null) {
          dbConnection.close();
        }
      } catch (SQLException exceptSql) {
        IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
      }
    }
  }
Пример #17
0
 public void doPost(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   Statement question;
   String query;
   ResultSet answer;
   connect();
   try {
     query = "SELECT * FROM PILOT WHERE Address ='" + request.getParameter("city") + "'";
     question = link.createStatement();
     answer = question.executeQuery(query);
     PrintWriter pen;
     response.setContentType("text/html");
     pen = response.getWriter();
     pen.println("<HTML>");
     pen.println("<HEAD> <TITLE> Answer </TITLE> </HEAD>");
     pen.println("<BODY>");
     while (answer.next()) {
       String pN = answer.getString("PilotNumber");
       String lN = answer.getString("LastName");
       String fN = answer.getString("FirstName");
       String ad = answer.getString("Address");
       float sa = answer.getFloat("Salary");
       float pr = answer.getFloat("Premium");
       Date hD = answer.getDate("HiringDate");
       if (answer.wasNull() == false) {
         pen.println("<P><B> Pilot : </B>" + lN + " " + fN);
         pen.println("<P><B> ---Reference : </B>" + pN);
         pen.println("<P><B> ---Address : </B>" + ad);
         pen.println("<P><B> ---Salary : </B>" + sa);
         pen.println("<P><B> ---since : </B>" + hD);
         if (pr > 0) pen.println("<P><B> ---Premium : </B>" + pr);
         else pen.println("<P><B> ---No premium </B>");
       }
     }
     pen.println("</BODY>");
     pen.println("</HTML>");
     answer.close();
     question.close();
     link.close();
   } catch (SQLException e) {
     System.out.println("Connection error: " + e.getMessage());
   }
 }
Пример #18
0
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    response.setContentType("text/html");
    PrintWriter out = response.getWriter();

    String dbUser = "******"; // enter your username here
    String dbPassword = "******"; // enter your password here

    try {
      OracleDataSource ods = new oracle.jdbc.pool.OracleDataSource();
      ods.setURL("jdbc:oracle:thin:@//w4111b.cs.columbia.edu:1521/ADB");
      ods.setUser(dbUser);
      ods.setPassword(dbPassword);

      Connection conn = ods.getConnection();

      String query = new String();
      Statement s = conn.createStatement();

      query = "select * from events";

      ResultSet r = s.executeQuery(query);
      while (r.next()) {
        out.println("Today's Date: " + r.getString(1) + " ");
      }
      r.close();
      s.close();

      conn.close();

    } catch (Exception e) {
      out.println("The database could not be accessed.<br>");
      out.println("More information is available as follows:<br>");
      e.printStackTrace(out);
    }
  } // end doGet method
  /* goodB2G() - use badsource and goodsink */
  private void goodB2G() throws Throwable {
    String data_copy;
    {
      String data;

      Logger log_bad = Logger.getLogger("local-logger");

      data = ""; /* init data */

      /* read user input from console with readLine*/
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        data = buffread.readLine();
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }
      }

      data_copy = data;
    }
    {
      String data = data_copy;

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      PreparedStatement sqlstatement = null;
      ResultSet sqlrs = null;

      try {
        /* FIX: use prepared sqlstatement */
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.prepareStatement("select * from users where name=?");
        sqlstatement.setString(1, data);

        sqlrs = sqlstatement.executeQuery();

        IO.writeString(sqlrs.toString());
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlrs != null) {
            sqlrs.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlrs");
        } finally {
          try {
            if (sqlstatement != null) {
              sqlstatement.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing sqlstatement");
          } finally {
            try {
              if (conn_tmp2 != null) {
                conn_tmp2.close();
              }
            } catch (SQLException e) {
              log2.warning("Error closing conn_tmp2");
            }
          }
        }
      }
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    (new CWE89_SQL_Injection__getQueryStringServlet_executeUpdate_53b())
        .bad_sink(data, request, response);
  }
  /* uses badsource and badsink */
  public void bad() throws Throwable {
    String data;
    switch (6) {
      case 6:
        {
          data = "pass";
        }
        break;
      default:
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        {
          java.util.logging.Logger log_good_source =
              java.util.logging.Logger.getLogger("local-logger");
          BufferedReader bufread2 = null;
          InputStreamReader inread2 = null;
          Properties prop = new Properties();
          IO.writeLine("Enter the password: "******"";
          try {
            inread2 = new InputStreamReader(System.in);
            bufread2 = new BufferedReader(inread2);
            /* FIX: password is read from stdin */
            data = bufread2.readLine();
          } catch (Exception e) {
            log_good_source.warning("Exception in try");
          } finally {
            try {
              if (bufread2 != null) {
                bufread2.close();
              }
            } catch (IOException e) {
              log_good_source.warning("Error closing bufread2");
            } finally {
              try {
                if (inread2 != null) {
                  inread2.close();
                }
              } catch (IOException e) {
                log_good_source.warning("Error closing inread2");
              }
            }
          }
        }
        break;
    }

    java.util.logging.Logger log2 = java.util.logging.Logger.getLogger("local-logger");

    Connection conn2 = null;
    PreparedStatement st = null;
    ResultSet rs2 = null;
    String pw = data;
    try {
      /* POTENTIAL FLAW: use of hard-coded password */
      conn2 = DriverManager.getConnection("data-url", "root", pw);
      st = conn2.prepareStatement("select * from test_table");
      rs2 = st.executeQuery();
    } catch (SQLException e) {
      log2.warning("Error with database connection");
    } finally {
      try {
        if (rs2 != null) {
          rs2.close();
        }
      } catch (SQLException e) {
        log2.warning("Error closing rs2");
      } finally {
        try {
          if (st != null) {
            st.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing st");
        } finally {
          try {
            if (conn2 != null) {
              conn2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn2");
          }
        }
      }
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;

    Logger log_bad = Logger.getLogger("local-logger");
    data = "";

    /* parse the query string for value of 'id' */
    String id_str = null;
    StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
    while (st.hasMoreTokens()) {
      String token = st.nextToken();
      int i = token.indexOf("=");
      if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
        id_str = token.substring(i + 1);
        break;
      }
    }

    if (id_str != null) {
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      try {
        int id = Integer.parseInt(id_str);
        conn = IO.getDBConnection();
        statement = conn.prepareStatement("select * from pages where id=?");
        /* FLAW: no check to see whether the user has privileges to view the data */
        statement.setInt(1, id);
        rs = statement.executeQuery();
        data = rs.toString();
      } catch (SQLException se) {
        log_bad.warning("Error");
      } finally {
        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    }

    {
      try {
        int iConversion = Integer.valueOf(data);
      } catch (Exception e) {
        e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */
      }
    }

    if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
		  We need the "if(true)" because the Java Language Spec requires that
		  unreachable code generate a compiler error */

    /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
    {
      try {
        int iConversion = Integer.valueOf(data);
      } catch (Exception e) {
        IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */
      }
    }
  }
Пример #23
0
  @Override
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws IOException, ServletException {

    // create the workbook, its worksheet, and its title row
    Workbook workbook = new HSSFWorkbook();
    Sheet sheet = workbook.createSheet("User table");
    Row row = sheet.createRow(0);
    row.createCell(0).setCellValue("The User table");

    // create the header row
    row = sheet.createRow(2);
    row.createCell(0).setCellValue("UserID");
    row.createCell(1).setCellValue("LastName");
    row.createCell(2).setCellValue("FirstName");
    row.createCell(3).setCellValue("Email");

    try {
      // read database rows
      ConnectionPool pool = ConnectionPool.getInstance();
      Connection connection = pool.getConnection();
      Statement statement = connection.createStatement();
      String query = "SELECT * FROM User ORDER BY UserID";
      ResultSet results = statement.executeQuery(query);

      // create spreadsheet rows
      int i = 3;
      while (results.next()) {
        row = sheet.createRow(i);
        row.createCell(0).setCellValue(results.getInt("UserID"));
        row.createCell(1).setCellValue(results.getString("LastName"));
        row.createCell(2).setCellValue(results.getString("FirstName"));
        row.createCell(3).setCellValue(results.getString("Email"));
        i++;
      }
      results.close();
      statement.close();
      connection.close();
    } catch (SQLException e) {
      this.log(e.toString());
    }

    // set response object headers
    response.setHeader("content-disposition", "attachment; filename=users.xls");
    response.setHeader("cache-control", "no-cache");

    // get the output stream
    String encodingString = request.getHeader("accept-encoding");
    OutputStream out;
    if (encodingString != null && encodingString.contains("gzip")) {
      out = new GZIPOutputStream(response.getOutputStream());
      response.setHeader("content-encoding", "gzip");
      // System.out.println("User table encoded with gzip");
    } else {
      out = response.getOutputStream();
      // System.out.println("User table not encoded with gzip");
    }

    // send the workbook to the browser
    workbook.write(out);
    out.close();
  }
Пример #24
0
  /**
   * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
   *
   * @param request servlet request
   * @param response servlet response
   * @throws ServletException if a servlet-specific error occurs
   * @throws IOException if an I/O error occurs
   */
  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    Statement stmt;
    ResultSet rs;

    if (username == null || password == null) {
      out.println("<h1>Invalid Register Request</h1>");
      out.println("<a href=\"register.html\">Register</a>");

      return;
    }
    Connection con = null;

    try {
      Class.forName("com.mysql.jdbc.Driver");
      String connectionUrl = "jdbc:mysql://localhost/project3?" + "user=root&password=marouli";
      con = DriverManager.getConnection(connectionUrl);

      if (con != null) {
        System.out.println("Ola ok me mysql");
      }
    } catch (SQLException e) {
      System.out.println("SQL Exception: " + e.toString());
    } catch (ClassNotFoundException cE) {
      System.out.println("Class Not Found Exception: " + cE.toString());
    }

    try {
      stmt = con.createStatement();

      rs = stmt.executeQuery("SELECT * FROM users WHERE username='******'");
      if (rs.next()) {
        out.println("<h1>Username exists</h1>");
        out.println("<a href=\"register.html\">Register</a>");

        stmt.close();
        rs.close();
        con.close();
        return;
      }
      stmt.close();
      rs.close();

      stmt = con.createStatement();

      if (!stmt.execute("INSERT INTO users VALUES('" + username + "', '" + password + "')")) {
        out.println("<h1>You are now registered " + username + "</h1>");
        out.println("<a href=\"index.jsp\">Login</a>");

        int i;
        for (i = 0; i < listeners.size(); i++) listeners.get(i).UserRegistered(username);
      } else {
        out.println("<h1>Could not add your username to the db</h1>");
        out.println("<a href=\"register.html\">Register</a>");
      }

      stmt.close();
      con.close();
    } catch (SQLException e) {
      throw new ServletException("Servlet Could not display records.", e);
    }
  }
Пример #25
0
  public void doGet(HttpServletRequest req, HttpServletResponse resp)
      throws ServletException, IOException {

    resp.setContentType("text/html");
    PrintWriter out = resp.getWriter();

    PreparedStatement pstmt = null;
    Statement stmt = null;
    ResultSet rs = null;

    HttpSession session = SystemUtils.verifyMem(req, out); // check for intruder

    if (session == null) return;

    Connection con = Connect.getCon(req); // get DB connection

    if (con == null) {

      resp.setContentType("text/html");

      out.println(SystemUtils.HeadTitle("DB Connection Error"));
      out.println("<BODY><CENTER><BR>");
      out.println("<BR><BR><H3>Database Connection Error</H3>");
      out.println("<BR><BR>Unable to connect to the Database.");
      out.println("<BR>Please try again later.");
      out.println("<BR><BR>If problem persists, contact customer support.");
      out.println("<BR><BR>");
      out.println("<a href=\"javascript:history.back(1)\">Return</a>");
      out.println("</CENTER></BODY></HTML>");
      out.close();
      return;
    }

    //
    // Get needed vars out of session obj
    //
    String club = (String) session.getAttribute("club");
    String user = (String) session.getAttribute("user");
    String caller = (String) session.getAttribute("caller");

    int activity_id = (Integer) session.getAttribute("activity_id");

    int foretees_mode = 0;

    String stype_id = req.getParameter("type_id");
    int type_id = 0;

    String sgroup_id = req.getParameter("group_id");
    int group_id = 0;

    String sitem_id = req.getParameter("item_id");
    int item_id = 0;

    try {
      type_id = Integer.parseInt(stype_id);
    } catch (NumberFormatException ignore) {
    }

    try {
      group_id = Integer.parseInt(sgroup_id);
    } catch (NumberFormatException ignore) {
    }

    try {
      item_id = Integer.parseInt(sitem_id);
    } catch (NumberFormatException ignore) {
    }

    out.println(
        "<!-- type_id=" + type_id + ", group_id=" + group_id + ", item_id=" + item_id + " -->");

    //
    // START PAGE OUTPUT
    //
    out.println(SystemUtils.HeadTitle("Member Acivities"));
    out.println("<style>");
    out.println(".actLink { color: black }");
    out.println(".actLink:hover { color: #336633 }");
    // out.println(".playerTD {width:125px}");
    out.println("</style>");
    out.println(
        "<body bgcolor=\"#CCCCAA\" text=\"#000000\" link=\"#336633\" vlink=\"#8B8970\" alink=\"#8B8970\">");
    SystemUtils.getMemberSubMenu(req, out, caller); // required to allow submenus on this page

    //
    // DISPLAY A LIST OF AVAILABLE ACTIVITIES
    //
    out.println(
        "<p align=center><b><font size=5 color=#336633><BR><BR>Available Activities</font></b></p>");

    out.println(
        "<p align=center><b><font size=3 color=#000000>Select your desired activity from the list below.<br>NOTE: You can set your default activity under <a href=\"Member_services\" class=actLink>Settings</a>.</font></b></p>");

    out.println("<table align=center>");

    try {

      stmt = con.createStatement();

      rs = stmt.executeQuery("SELECT foretees_mode FROM club5 WHERE clubName <> '';");

      if (rs.next()) {
        foretees_mode = rs.getInt(1);
      }

      // if they have foretees then give a link in to the golf system
      if (foretees_mode != 0) {

        out.println(
            "<tr><td align=center><b><a href=\"Member_jump?switch&activity_id=0\" class=linkA style=\"color:#336633\" target=_top>Golf</a></b></td></tr>"); // ForeTees
      }

      // build a link to any activities they have access to
      rs =
          stmt.executeQuery(
              "SELECT * FROM activities " + "WHERE parent_id = 0 " + "ORDER BY activity_name");

      while (rs.next()) {

        out.println(
            "<tr><td align=center><b><a href=\"Member_jump?switch&activity_id="
                + rs.getInt("activity_id")
                + "\" class=linkA style=\"color:#336633\" target=_top>"
                + rs.getString("activity_name")
                + "</a></b></td></tr>");
      }

      stmt.close();

    } catch (Exception exc) {

      out.println("<p>ERROR:" + exc.toString() + "</p>");

    } finally {

      try {
        rs.close();
      } catch (Exception ignore) {
      }

      try {
        stmt.close();
      } catch (Exception ignore) {
      }
    }

    out.println("</table>");

    out.println("</body></html>");

    /*

        out.println("<script>");

        out.println("function load_types() {");
        out.println(" try {document.forms['frmSelect'].item_id.selectedIndex = -1; } catch (err) {}");
        out.println(" document.forms['frmSelect'].group_id.selectedIndex = -1;");
        out.println(" document.forms['frmSelect'].submit();");
        out.println("}");

        out.println("function load_groups() {");
        out.println(" document.forms['frmSelect'].submit();");
        out.println("}");

        out.println("function load_times(id) {");
        out.println(" top.bot.location.href='Member_gensheets?id=' + id;");
        out.println("}");

        out.println("</script>");

        out.println("<form name=frmSelect>");

        // LOAD ACTIVITY TYPES
        out.println("<select name=type_id onchange=\"load_types()\">");

        if (type_id == 0) {

            out.println("<option>CHOOSE TYPE</option>");

        }

        try {

            stmt = con.createStatement();

            rs = stmt.executeQuery("SELECT * FROM activities WHERE parent_id = 0");

            while (rs.next()) {

                Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), type_id, out);

            }
            stmt.close();

        } catch (Exception exc) {

            out.println("<p>ERROR:" + exc.toString() + "</p>");

        }

        out.println("");
        out.println("</select>");


        // LOAD ACTIVITIES BY GROUP TYPE
        out.println("<select name=group_id onchange=\"load_groups()\">");

        if (type_id == 0) {

            out.println("<option>CHOOSE TYPE</option>");

        } else {

            try {

                stmt = con.createStatement();
                rs = stmt.executeQuery("SELECT activity_id, activity_name FROM activities WHERE parent_id = " + type_id);

                rs.last();
                if (rs.getRow() == 1) {
                    group_id = rs.getInt("activity_id");
                    out.println("<!-- ONLY FOUND 1 GROUP -->");
                } else {
                    out.println("<option value=\"0\">CHOOSE...</option>");
                }

                rs.beforeFirst();

                while (rs.next()) {

                    Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), group_id, out);

                }
                stmt.close();

            } catch (Exception exc) {

                out.println("<p>ERROR:" + exc.toString() + "</p>");

            }

        }

        out.println("");
        out.println("</select>");

        boolean do_load = false;

        if (group_id > 0 ) { //|| sitem_id != null

            // LOAD ACTIVITIES BY ITEM TYPE

            try {

                stmt = con.createStatement();
                rs = stmt.executeQuery("SELECT activity_id, activity_name FROM activities WHERE parent_id = " + group_id);

                rs.last();
                if (rs.getRow() == 0) {

                    // no sub groups found
                    do_load = true;
                    item_id = group_id;

                } else if (rs.getRow() == 1) {

                    // single sub group found (pre select it)
                    item_id = rs.getInt("activity_id");
                    out.println("<!-- ONLY FOUND 1 ITEM -->");

                } else {

                    out.println("<select name=item_id onchange=\"load_times(this.options[this.selectedIndex].value)\">");
                    out.println("<option value=\"0\">CHOOSE...</option>");

                }

                if (!do_load) {

                    rs.beforeFirst();

                    while (rs.next()) {

                        Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), item_id, out);

                    }

                }
                stmt.close();

                out.println("");
                out.println("</select>");

            } catch (Exception exc) {

                out.println("<p>ERROR:" + exc.toString() + "</p>");

            }


        }

        out.println("</form>");

        out.println("<p><a href=\"Member_genrez\">Reset</a></p>");

        try {
            con.close();
        } catch (Exception ignore) {}


        if (do_load) out.println("<script>load_times(" + item_id + ")</script>");


        //out.println("<iframe name=ifSheet src=\"\" style=\"width:640px height:480px\"></iframe>");
    */

    out.close();
  }
Пример #26
0
  /**
   * Determine whether or a not a Researcher with the supplied email exists
   *
   * @param email The email to test
   * @return The researcher ID of the researcher if it exists, -1 if it doesn't
   * @throws SQLException if a database error was encountered
   */
  public static int emailExists(String email) throws SQLException {
    int returnVal = -1;

    if (email == null || email.equals("")) {
      return -1;
    }

    // Get our connection to the database.
    Connection conn = DBConnectionManager.getConnection("yrc");
    PreparedStatement stmt = null;
    ResultSet rs = null;

    try {
      stmt =
          conn.prepareStatement(
              "SELECT researcherID FROM tblResearchers WHERE researcherEmail = ?");
      stmt.setString(1, email);

      rs = stmt.executeQuery();

      // No rows returned.
      if (!rs.next()) {
        returnVal = -1;
      } else {
        returnVal = rs.getInt("researcherID");
      }

      rs.close();
      rs = null;

      stmt.close();
      stmt = null;

      conn.close();
      conn = null;
    } finally {

      // Always make sure result sets and statements are closed,
      // and the connection is returned to the pool
      if (rs != null) {
        try {
          rs.close();
        } catch (SQLException e) {;
        }
        rs = null;
      }
      if (stmt != null) {
        try {
          stmt.close();
        } catch (SQLException e) {;
        }
        stmt = null;
      }
      if (conn != null) {
        try {
          conn.close();
        } catch (SQLException e) {;
        }
        conn = null;
      }
    }

    return returnVal;
  }
Пример #27
0
  /**
   * Get a populated User object corresponding to a username.
   *
   * @param username The username to test
   * @return The User object corresponding to that username.
   * @throws NoSuchUserException if that username does not exist.
   * @throws SQLException if a database error was encountered.
   */
  public static User getUser(String username) throws NoSuchUserException, SQLException {
    // The User to return
    User theUser;

    // Make sure the username isn't null
    if (username == null) {
      throw new NoSuchUserException("got null for username in UserUtils.getUser");
    }

    // Get our connection to the database.
    Connection conn = DBConnectionManager.getConnection("yrc");
    PreparedStatement stmt = null;
    ResultSet rs = null;

    try {
      stmt = conn.prepareStatement("SELECT researcherID FROM tblUsers WHERE username = ?");
      stmt.setString(1, username);

      rs = stmt.executeQuery();

      // No rows returned.
      if (!rs.next()) {
        throw new NoSuchUserException("Username not found.");
      }

      theUser = new User();

      try {
        theUser.load(rs.getInt("researcherID"));
      } catch (InvalidIDException e) {
        throw new NoSuchUserException(
            "Somehow, we got an invalid ID ("
                + rs.getInt("researcherID")
                + ") after we got the ID from the username...  This can't be good.");
      }

      rs.close();
      rs = null;

      stmt.close();
      stmt = null;

      conn.close();
      conn = null;
    } finally {

      // Always make sure result sets and statements are closed,
      // and the connection is returned to the pool
      if (rs != null) {
        try {
          rs.close();
        } catch (SQLException e) {;
        }
        rs = null;
      }
      if (stmt != null) {
        try {
          stmt.close();
        } catch (SQLException e) {;
        }
        stmt = null;
      }
      if (conn != null) {
        try {
          conn.close();
        } catch (SQLException e) {;
        }
        conn = null;
      }
    }

    return theUser;
  }
  /** Business logic to execute. */
  public final Response executeCommand(
      Object inputPar,
      UserSessionParameters userSessionPars,
      HttpServletRequest request,
      HttpServletResponse response,
      HttpSession userSession,
      ServletContext context) {
    String serverLanguageId = ((JAIOUserSessionParameters) userSessionPars).getServerLanguageId();
    Connection conn = null;
    Statement stmt = null;
    try {
      conn = ConnectionManager.getConnection(context);

      // fires the GenericEvent.CONNECTION_CREATED event...
      EventsManager.getInstance()
          .processEvent(
              new GenericEvent(
                  this,
                  getRequestName(),
                  GenericEvent.CONNECTION_CREATED,
                  (JAIOUserSessionParameters) userSessionPars,
                  request,
                  response,
                  userSession,
                  context,
                  conn,
                  inputPar,
                  null));
      java.util.List list = (ArrayList) inputPar;

      HierarItemDiscountVO vo = null;
      ResultSet rset = null;
      stmt = conn.createStatement();
      for (int i = 0; i < list.size(); i++) {
        vo = (HierarItemDiscountVO) list.get(i);
        vo.setDiscountTypeSAL03(ApplicationConsts.DISCOUNT_CUSTOMER);

        // retrieve COMPANY_CODE from progressiveHIE01...
        rset =
            stmt.executeQuery(
                "select COMPANY_CODE_SYS01 from ITM02_ITEM_TYPES where PROGRESSIVE_HIE02 in "
                    + "(select PROGRESSIVE_HIE02 from HIE01_LEVELS where PROGRESSIVE="
                    + vo.getProgressiveHie01SAL05()
                    + ")");
        if (rset.next()) vo.setCompanyCodeSys01SAL03(rset.getString(1));
        else {
          rset.close();
          conn.rollback();
          return new ErrorResponse("Item hierarchy not found.");
        }
        rset.close();

        DiscountBean.insertDiscount(conn, vo);

        stmt.execute(
            "insert into SAL05_ITEM_HIERAR_DISCOUNTS(COMPANY_CODE_SYS01,PROGRESSIVE_HIE01,DISCOUNT_CODE_SAL03) "
                + "values('"
                + vo.getCompanyCodeSys01SAL03()
                + "',"
                + vo.getProgressiveHie01SAL05()
                + ",'"
                + vo.getDiscountCodeSAL03()
                + "')");
      }

      Response answer = new VOListResponse(list, false, list.size());

      // fires the GenericEvent.BEFORE_COMMIT event...
      EventsManager.getInstance()
          .processEvent(
              new GenericEvent(
                  this,
                  getRequestName(),
                  GenericEvent.BEFORE_COMMIT,
                  (JAIOUserSessionParameters) userSessionPars,
                  request,
                  response,
                  userSession,
                  context,
                  conn,
                  inputPar,
                  answer));

      conn.commit();

      // fires the GenericEvent.AFTER_COMMIT event...
      EventsManager.getInstance()
          .processEvent(
              new GenericEvent(
                  this,
                  getRequestName(),
                  GenericEvent.AFTER_COMMIT,
                  (JAIOUserSessionParameters) userSessionPars,
                  request,
                  response,
                  userSession,
                  context,
                  conn,
                  inputPar,
                  answer));

      return answer;
    } catch (Throwable ex) {
      Logger.error(
          userSessionPars.getUsername(),
          this.getClass().getName(),
          "executeCommand",
          "Error while inserting hierarchy item discounts",
          ex);
      try {
        conn.rollback();
      } catch (Exception ex3) {
      }
      return new ErrorResponse(ex.getMessage());
    } finally {
      try {
        stmt.close();
      } catch (Exception ex2) {
      }
      try {
        ConnectionManager.releaseConnection(conn, context);
      } catch (Exception ex1) {
      }
    }
  }
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();

    HttpSession session = request.getSession(true);

    try {
      Object accountObject = session.getValue(ACCOUNT);

      // If no account object was put in the session, or
      // if one exists but it is not a hashtable, then
      // redirect the user to the original login page

      if (accountObject == null)
        throw new RuntimeException("You need to log in to use this service!");

      if (!(accountObject instanceof Hashtable))
        throw new RuntimeException("You need to log in to use this service!");

      Hashtable account = (Hashtable) accountObject;

      String userName = (String) account.get("name");

      //////////////////////////////////////////////
      // Display Messages for the user who logged in
      //////////////////////////////////////////////
      out.println("<HTML>");
      out.println("<HEAD>");
      out.println("<TITLE>Contacts for " + userName + "</TITLE>");
      out.println("</HEAD>");
      out.println("<BODY BGCOLOR='#EFEFEF'>");
      out.println("<H3>Welcome " + userName + "</H3>");

      out.println("<CENTER>");

      Connection con = null;
      Statement stmt = null;
      ResultSet rs = null;
      try {
        Class.forName("com.mysql.jdbc.Driver").newInstance();
        con =
            DriverManager.getConnection(
                "jdbc:mysql://localhost/contacts?user=kareena&password=kapoor");

        stmt = con.createStatement();
        rs =
            stmt.executeQuery(
                "SELECT * FROM contacts WHERE userName='******' ORDER BY contactID");

        out.println("<form name='deleteContactsForm' method='post' action='deleteContact'>");

        out.println("<TABLE BGCOLOR='#EFEFFF' CELLPADDING='2' CELLSPACING='4' BORDER='1'>");
        out.println("<TR BGCOLOR='#D6DFFF'>");
        out.println("<TD ALIGN='center'><B>Contact ID</B></TD>");
        out.println("<TD ALIGN='center'><B>Contact Name</B></TD>");
        out.println("<TD ALIGN='center'><B>Comment</B></TD>");
        out.println("<TD ALIGN='center'><B>Date</B></TD>");
        out.println("<TD ALIGN='center'><B>Delete Contacts</B></TD>");
        out.println("</TR>");

        int nRows = 0;
        while (rs.next()) {
          nRows++;
          String messageID = rs.getString("contactID");
          String fromUser = rs.getString("contactName");
          String message = rs.getString("comments");
          String messageDate = rs.getString("dateAdded");

          out.println("<TR>");
          out.println("<TD>" + messageID + "</TD>");
          out.println("<TD>" + fromUser + "</TD>");
          out.println("<TD>" + message + "</TD>");
          out.println("<TD>" + messageDate + "</TD>");
          out.println(
              "<TD><input type='checkbox' name='msgList' value='" + messageID + "'> Delete</TD>");
          out.println("</TR>");
        }

        out.println("<TR>");
        out.println(
            "<TD COLSPAN='6' ALIGN='center'><input type='submit' value='Delete Selected Contacts'></TD>");
        out.println("</TR>");

        out.println("</TABLE>");
        out.println("</FORM>");
      } catch (Exception e) {
        out.println("Could not connect to the users database.<P>");
        out.println("The error message was");
        out.println("<PRE>");
        out.println(e.getMessage());
        out.println("</PRE>");
      } finally {
        if (rs != null) {
          try {
            rs.close();
          } catch (SQLException ignore) {
          }
        }
        if (stmt != null) {
          try {
            stmt.close();
          } catch (SQLException ignore) {
          }
        }
        if (con != null) {
          try {
            con.close();
          } catch (SQLException ignore) {
          }
        }
      }

      out.println("</CENTER>");
      out.println("</BODY>");
      out.println("</HTML>");

    } catch (RuntimeException e) {
      out.println("<script language=\"javascript\">");
      out.println("alert(\"You need to log in to use this service!\");");
      out.println("</script>");

      out.println("<a href='index.html'>Click Here</a> to go to the main page.<br><br>");

      out.println(
          "Or Click on the button to exit<FORM><INPUT onClick=\"javascipt:window.close()\" TYPE=\"BUTTON\" VALUE=\"Close Browser\" TITLE=\"Click here to close window\" NAME=\"CloseWindow\" STYLE=\"font-family:Verdana, Arial, Helvetica; font-size:smaller; font-weight:bold\"></FORM>");

      log(e.getMessage());
      return;
    }
  }
  public void bad() throws Throwable {
    String data_copy;
    {
      String data;

      Logger log_bad = Logger.getLogger("local-logger");

      data = ""; /* init data */

      /* read user input from console with readLine*/
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        data = buffread.readLine();
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }
      }

      data_copy = data;
    }
    {
      String data = data_copy;

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      Statement sqlstatement = null;
      ResultSet sqlrs = null;

      try {
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.createStatement();

        /* POTENTIAL FLAW: take user input and place into dynamic sql query */
        sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");

        IO.writeString(sqlrs.toString());
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlrs != null) {
            sqlrs.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlrs");
        } finally {
          try {
            if (sqlstatement != null) {
              sqlstatement.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing sqlstatement");
          } finally {
            try {
              if (conn_tmp2 != null) {
                conn_tmp2.close();
              }
            } catch (SQLException e) {
              log2.warning("Error closing conn_tmp2");
            }
          }
        }
      }
    }
  }