private void saveToDb() { Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(UPDATE_WARE); System.out.println(UPDATE_WARE); pstmt.setString(1, StringUtils.toChinese(this.Pname)); pstmt.setString(2, StringUtils.toChinese(this.Pmodel)); pstmt.setString(3, StringUtils.toChinese(this.Pcost)); pstmt.setString(4, StringUtils.toChinese(this.Pheft)); pstmt.setString(5, StringUtils.toChinese(this.Pfacturer)); pstmt.setString(6, StringUtils.toChinese(this.Pnote)); pstmt.setInt(7, this.Status); pstmt.setInt(8, this.Id); pstmt.executeUpdate(); } catch (SQLException sqle) { System.err.println("错误位置: DbWare.java:saveToDb(): " + sqle); sqle.printStackTrace(); } finally { try { pstmt.close(); } catch (Exception e) { e.printStackTrace(); } try { con.close(); } catch (Exception e) { e.printStackTrace(); } } }
public void save(Connection conn) throws SQLException { boolean is_new = isNew(); String query = (is_new ? ("insert into " + tableName() + " (" + recordIDColumnName() + ",mod_count,date_entered,date_modified,name,status,product) values (?,?,?,?,?,?,?)") : ("update " + tableName() + " set mod_count = ?, date_entered = ?, " + "date_modified = ?, name = ?, status = ?, product = ? where " + recordIDColumnName() + " = ?")); int idx = 1; PreparedStatement ps = conn.prepareStatement(query); if (is_new) { ps.setInt(idx++, getId().intValue()); } int new_mod_count = mod_count.intValue() + 1; ps.setInt(idx++, new_mod_count); ps.setTimestamp(idx++, date_entered); ps.setTimestamp(idx++, date_modified); // ---TODO: set to current time ps.setString(idx++, getName()); ps.setString(idx++, getStatus()); ps.setInt(idx++, getProduct().getId().intValue()); if (!is_new) { ps.setInt(idx++, getId().intValue()); } ps.executeUpdate(); ps.close(); // Only increment the mod_count if there was no exception during the save. setModCount(new Integer(new_mod_count)); }
private void DELToDb() { Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(Del_ware); System.out.println(Del_ware); pstmt.setInt(1, this.Status); pstmt.setInt(2, this.Id); pstmt.executeUpdate(); } catch (SQLException sqle) { System.err.println("错误位置: DbShop.java:DELToDb(): " + sqle); sqle.printStackTrace(); } finally { try { pstmt.close(); } catch (Exception e) { e.printStackTrace(); } try { con.close(); } catch (Exception e) { e.printStackTrace(); } } }
private void insertIntoDb() { Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(INSERT_WARE); pstmt.setInt(1, this.Id); pstmt.setString(2, StringUtils.toChinese(this.Pname)); pstmt.setString(3, StringUtils.toChinese(this.Pmodel)); pstmt.setString(4, StringUtils.toChinese(this.Pcost)); pstmt.setString(5, StringUtils.toChinese(this.Pheft)); pstmt.setString(6, StringUtils.toChinese(this.Pfacturer)); pstmt.setString(7, StringUtils.toChinese(this.Pnote)); pstmt.setString(8, StringUtils.toChinese(this.Createdate)); pstmt.setInt(9, this.Status); pstmt.executeUpdate(); } catch (SQLException sqle) { System.err.println("错误位置: Dbware:insertIntoDb()-" + sqle); sqle.printStackTrace(); } finally { try { pstmt.close(); } catch (Exception e) { e.printStackTrace(); } try { con.close(); } catch (Exception e) { e.printStackTrace(); } } }
private void insertLog(HttpServletRequest req, Connection connection) throws SQLException { try (PreparedStatement stmt = connection.prepareStatement("INSERT INTO LOGGING (date,ip,url) VALUES (?,?,?)")) { stmt.setTimestamp(1, new Timestamp((new java.util.Date()).getTime())); stmt.setString(2, req.getRemoteAddr()); stmt.setString(3, req.getRequestURI()); stmt.executeUpdate(); } }
@Override public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { System.out.println("Clearing changes"); Connection c = null; try { DriverManager.registerDriver(new AppEngineDriver()); c = DriverManager.getConnection("jdbc:google:rdbms://trmrphdn:veebirakendused/andmebaas"); String statement = "delete from kandidaat where nimi = 'Tandi Kaat'"; PreparedStatement stmt = c.prepareStatement(statement); stmt.executeUpdate(); } catch (SQLException e) { e.printStackTrace(); } }
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); PrintWriter out = response.getWriter(); try { Class.forName("com.mysql.jdbc.Driver").newInstance(); Connection con = DriverManager.getConnection(Utility.connection, Utility.username, Utility.password); int user_id = Integer.parseInt(request.getParameter("user_id")); int question_id = Integer.parseInt(request.getParameter("question_id")); int option = Integer.parseInt(request.getParameter("option")); System.out.println("uid: " + user_id + "\nquestion: " + question_id + "\noption: " + option); String str1 = "INSERT INTO VOTES(USER_ID, QUESTION_ID,OPTION_VOTED) VALUES (?,?,?)"; PreparedStatement prep1 = con.prepareStatement(str1); prep1.setInt(1, user_id); prep1.setInt(3, option); prep1.setInt(2, question_id); prep1.execute(); String str2 = "SELECT OPTION_" + option + " FROM ARCHIVE_VOTES WHERE QUESTION_ID=?"; PreparedStatement prep2 = con.prepareStatement(str2); prep2.setInt(1, question_id); int count = 0; ResultSet rs2 = prep2.executeQuery(); if (rs2.next()) { count = rs2.getInt("OPTION_" + option); } count++; String str3 = "UPDATE ARCHIVE_VOTES SET OPTION_" + option + "=? WHERE QUESTION_ID=?"; PreparedStatement prep3 = con.prepareStatement(str3); prep3.setInt(1, count); prep3.setInt(2, question_id); prep3.executeUpdate(); out.print("You Vote has been recorded! Thank you!"); System.out.println( "Voted for question " + question_id + ", by user " + user_id + ", for option " + option); } catch (Exception e) { e.printStackTrace(); } finally { out.close(); } }
public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); try { String username = request.getParameter("t1"); String password = request.getParameter("t2"); String email = request.getParameter("t4"); String college = request.getParameter("t5"); String phone = request.getParameter("t6"); String country = request.getParameter("t7"); String languages = request.getParameter("t8"); Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe", "system", "tiger"); PreparedStatement pst = con.prepareStatement("insert into stu_tab values(?,?,?,?,?,?,?)"); pst.setString(1, username); pst.setString(2, password); pst.setString(3, email); pst.setString(4, college); pst.setString(5, phone); pst.setString(6, country); pst.setString(7, languages); int i = pst.executeUpdate(); if (i != 0) { out.println("<html><body align=center bgcolor=#C0C0C0 text=black>"); out.println("<h3>!.. Registration Successful !..</h3>"); out.println( "<a href=Slogin1.html style=text-decoration:none>click here</a> to go back to login page"); out.println("</body></html>"); } else { out.println("<html><body align=center bgcolor=#C0C0C0 text=black>"); out.println("<h3>!.. Registration Failed !..</h3>"); out.println( "<a href=Slogin1.html style=text-decoration:none>click here</a> to go back to login page"); out.println("</body></html>"); } } catch (Exception e) { out.println(e); } }
/* goodB2G() - use badsource and goodsink */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data = (new CWE89_SQL_Injection__getQueryString_Servlet_executeUpdate_61b()) .goodB2GSource(request, response); Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and executeUpdate (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement( "insert into users (status) values ('updated') where name=?"); sqlStatement.setString(1, data); int rowCount = sqlStatement.executeUpdate(); IO.writeLine("Updated " + rowCount + " rows successfully."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } }
public void doGet(HttpServletRequest request, HttpServletResponse response) { try { String comment = request.getParameter("comment"); int answerId = Integer.parseInt(request.getParameter("answer_id")); Connection connection = GlobalResources.getConnection(); Statement s; s = connection.createStatement(); PreparedStatement preparedStatement; PreparedStatement preparedStatement1; preparedStatement = connection.prepareStatement("insert into comment(comment,answer_id) values(?,?)"); preparedStatement.setString(1, comment); preparedStatement.setInt(2, answerId); preparedStatement.executeUpdate(); preparedStatement.close(); connection.close(); RequestDispatcher requestDispatcher; requestDispatcher = request.getRequestDispatcher("/studenthome.jsp"); requestDispatcher.forward(request, response); } catch (Exception e) { } }
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // I use "session" in order to throws the object named user bean. HttpSession session = request.getSession(true); response.setContentType("text/html"); request.setCharacterEncoding("UTF-8"); UserBean ub = (UserBean) session.getAttribute("user"); if (ub == null) { String haveLogin = "******"; session.setAttribute("haveLogin", haveLogin); response.sendRedirect("cart"); } else { String mID = ub.getmID(); String iID = (String) request.getParameter("iID"); // String idx = (String)request.getParameter("idx"); Connection conn = null; try { // Getting the connection from database. Class.forName("com.mysql.jdbc.Driver"); /*conn = DriverManager .getConnection("jdbc:mysql://localhost/se?" + "user=root");*/ conn = DriverManager.getConnection( "jdbc:mysql://localhost/user_register?" + "user=sqluser&password=sqluserpw&useUnicode=true&characterEncoding=UTF-8"); String sql = "delete from cart_item_mapping where mID=? and iID = ?"; PreparedStatement pst = conn.prepareStatement(sql); // Using preparedstatement by set the parameter related to "?" symbol. pst.setString(1, mID); pst.setString(2, iID); pst.executeUpdate(); pst.close(); response.sendRedirect("ShowCartController"); } catch (Exception e) { e.printStackTrace(); } } }
/* goodB2G() - use badsource and goodsink */ public void goodB2G_sink(Object data_obj) throws Throwable { String data = (String) data_obj; Logger log2 = Logger.getLogger("local-logger"); Connection conn_tmp2 = null; PreparedStatement sqlstatement = null; try { /* FIX: use prepared sqlstatement */ conn_tmp2 = IO.getDBConnection(); sqlstatement = conn_tmp2.prepareStatement("insert into users (status) values ('updated') where name=?"); sqlstatement.setString(1, data); int iResult = sqlstatement.executeUpdate(); IO.writeString("Updated " + iResult + " rows successfully."); } catch (SQLException se) { log2.warning("Error getting database connection"); } finally { try { if (sqlstatement != null) { sqlstatement.close(); } } catch (SQLException e) { log2.warning("Error closing sqlstatement"); } finally { try { if (conn_tmp2 != null) { conn_tmp2.close(); } } catch (SQLException e) { log2.warning("Error closing conn_tmp2"); } } } }
protected static void clear() { Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(CLEAR_WARE); pstmt.executeUpdate(); } catch (SQLException sqle) { System.err.println("SQLException in DbTChatRooms.java:clearTChatRooms(): " + sqle); sqle.printStackTrace(); } finally { try { pstmt.close(); } catch (Exception e) { e.printStackTrace(); } try { con.close(); } catch (Exception e) { e.printStackTrace(); } } }
/* goodB2G() - use badsource and goodsink */ public void goodB2GSink() throws Throwable { String data = CWE89_SQL_Injection__Environment_executeUpdate_68a.data; Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and executeUpdate (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement( "insert into users (status) values ('updated') where name=?"); sqlStatement.setString(1, data); int rowCount = sqlStatement.executeUpdate(); IO.writeLine("Updated " + rowCount + " rows successfully."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } }
public void _jspService(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException { PageContext pageContext = null; HttpSession session = null; ServletContext application = null; ServletConfig config = null; JspWriter out = null; Object page = this; JspWriter _jspx_out = null; PageContext _jspx_page_context = null; try { response.setContentType("text/html"); pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true); _jspx_page_context = pageContext; application = pageContext.getServletContext(); config = pageContext.getServletConfig(); session = pageContext.getSession(); out = pageContext.getOut(); _jspx_out = out; out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("<!--%@ page errorPage=\"/error.jsp\" %-->\n"); response.setHeader("Pragma", "no-cache"); // HTTP 1.0 response.setDateHeader("Expires", 0); response.setHeader("Cache-Control", "no-cache"); // HTTP 1.1 String _adminid = ""; String _adminname = ""; String _admintype = ""; String _admingroup = ""; String _approval = ""; String _adminclass = ""; String _adminmail = ""; try { _adminid = (String) session.getAttribute("adminid"); if (_adminid == null || _adminid.length() == 0 || _adminid.equals("null")) { response.sendRedirect("/admin/login_first.html"); return; } _adminname = (String) session.getAttribute("adminname"); _admintype = (String) session.getAttribute("admintype"); _admingroup = (String) session.getAttribute("admingroup"); _approval = (String) session.getAttribute("approval"); _adminclass = (String) session.getAttribute("adminclass"); _adminmail = (String) session.getAttribute("admin_email"); // session.setMaxInactiveInterval(60*60); } catch (Exception e) { response.sendRedirect("/admin/login_first.html"); return; } out.write('\n'); out.write('\n'); out.write('\n'); String password = request.getParameter("password"); String fromURL = request.getParameter("fromURL"); String oldPassword = ""; String sql = ""; int iCnt = 0; boolean isSucceeded = false; String strMsg = ""; Connection conn = null; MatrixDataSet matrix = null; DataProcess dataProcess = null; PreparedStatement pstmt = null; String targetUrl = ""; try { if (password.equals("1111")) { throw new UserDefinedException( "The new password is not acceptable. Change your password."); } Context ic = new InitialContext(); DataSource ds = (DataSource) ic.lookup("java:comp/env/jdbc/scm"); conn = ds.getConnection(); matrix = new dbconn.MatrixDataSet(); dataProcess = new DataProcess(); sql = " select password " + " from admin_01t " + " where adminid = '" + _adminid + "' "; iCnt = dataProcess.RetrieveData(sql, matrix, conn); if (iCnt > 0) { oldPassword = matrix.getRowData(0).getData(0); } else { throw new UserDefinedException("Can't find User Information."); } if (password.equals(oldPassword)) { throw new UserDefinedException( "The new password is not acceptable. Change your password."); } // update ó¸®... int idx = 0; conn.setAutoCommit(false); sql = " update admin_01t " + " set password = ?, pw_date = sysdate() " + " where adminid = ? "; pstmt = conn.prepareStatement(sql); pstmt.setString(++idx, password); pstmt.setString(++idx, _adminid); iCnt = pstmt.executeUpdate(); if (iCnt != 1) { throw new UserDefinedException("Password update failed."); } conn.commit(); isSucceeded = true; } catch (UserDefinedException ue) { try { conn.rollback(); } catch (Exception ex) { } strMsg = ue.getMessage(); } catch (Exception e) { try { conn.rollback(); } catch (Exception ex) { } System.out.println("Exception /admin/resetAdminPasswd : " + e.getMessage()); throw e; } finally { if (pstmt != null) { try { pstmt.close(); } catch (Exception e) { } } if (conn != null) { try { conn.setAutoCommit(true); } catch (Exception e) { } conn.close(); } } // °á°ú ¸Þ½ÃÁö ó¸® if (isSucceeded) { // where to go? if (fromURL.equals("menu")) { targetUrl = ""; } else { targetUrl = "/admin/index2.jsp"; } strMsg = "The data are successfully processed."; } else { strMsg = "The operation failed.\\n" + strMsg; targetUrl = "/admin/resetAdminPasswdForm.jsp"; } out.write("\n"); out.write("<html>\n"); out.write("<head>\n"); out.write("<title></title>\n"); out.write("<link href=\"/common/css/style.css\" rel=\"stylesheet\" type=\"text/css\">\n"); out.write("</head>\n"); out.write("<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'>\n"); out.write("<form name=\"form1\" method=\"post\" action=\""); out.print(targetUrl); out.write("\">\n"); out.write("<input type='hidden' name='fromURL' value='"); out.print(fromURL); out.write("'>\n"); out.write("</form>\n"); out.write("<script language=\"javascript\">\n"); if (targetUrl.length() > 0) { out.write("\n"); out.write(" alert('"); out.print(strMsg); out.write("');\n"); out.write(" document.form1.submit();\n"); } out.write("\n"); out.write("</script>\n"); out.write("<table width='840' border='0' cellspacing='0' cellpadding='0'><tr><td>\n"); out.write("\n"); out.write("<table width='99%' border='0' cellspacing='0' cellpadding='0'>\n"); out.write("<tr>\n"); out.write(" <td height='15' colspan='2'></td>\n"); out.write("</tr>\n"); out.write("<tr>\n"); out.write(" <td width='3%'><img src='/img/title_icon.gif'></td>\n"); out.write(" <td width='*' class='left_title'>Password Change</td>\n"); out.write("</tr>\n"); out.write("<tr>\n"); out.write(" <td width='100%' height='2' colspan='2'><hr width='100%'></td>\n"); out.write("</tr>\n"); out.write("<tr>\n"); out.write(" <td height='10' colspan='2'></td>\n"); out.write("</tr>\n"); out.write("</table>\n"); out.write("\n"); out.write("<table width='90%' border='0' cellspacing='0' cellpadding='0' align='center'>\n"); out.write("<tr>\n"); out.write(" <td width='100%' align='center'><img border=\"0\" src=\"/img/pass.jpg\">\n"); out.write(" <br><br>\n"); out.write(" <b>The Password has been changed successfully.</b></td>\n"); out.write("</tr>\n"); out.write("</table>\n"); out.println(CopyRightLogo()); out.write("\n"); out.write("</tr></td></table>\n"); out.write("</body>\n"); out.write("</html>"); } catch (Throwable t) { if (!(t instanceof SkipPageException)) { out = _jspx_out; if (out != null && out.getBufferSize() != 0) try { out.clearBuffer(); } catch (java.io.IOException e) { } if (_jspx_page_context != null) _jspx_page_context.handlePageException(t); } } finally { _jspxFactory.releasePageContext(_jspx_page_context); } }
public void _jspService(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException { PageContext pageContext = null; HttpSession session = null; ServletContext application = null; ServletConfig config = null; JspWriter out = null; Object page = this; JspWriter _jspx_out = null; PageContext _jspx_page_context = null; try { response.setContentType("text/html;charset=UTF-8"); pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true); _jspx_page_context = pageContext; application = pageContext.getServletContext(); config = pageContext.getServletConfig(); session = pageContext.getSession(); out = pageContext.getOut(); _jspx_out = out; _jspx_resourceInjector = (org.glassfish.jsp.api.ResourceInjector) application.getAttribute("com.sun.appserv.jsp.resource.injector"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("\n"); out.write("<!DOCTYPE html>\n"); out.write("<html>\n"); out.write(" <head>\n"); out.write( " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n"); out.write(" <title>Fine</title>\n"); out.write(" <link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\"> \n"); out.write("\n"); out.write(" </head>\n"); out.write(" <body style = \"background-image: url(lib2.jpg)\"> \n"); out.write(" <center>\n"); out.write(" <h1>Update Fines information</h1>\n"); out.write(" <form name=\"Update\" action=\"Fines_upd.jsp\">\n"); out.write(" <table border=\"0\" width=\"3\" cellspacing=\"2\">\n"); out.write(" <thead>\n"); out.write(" <tr>\n"); out.write(" <th>Update Fines</th>\n"); out.write(" <th></th>\n"); out.write(" </tr>\n"); out.write(" </thead>\n"); out.write(" <tbody>\n"); out.write(" <tr>\n"); out.write(" <td>Update Fine table with todays Data</td>\n"); out.write( " <td><input type=\"submit\" value=\"Update / View Fines\" name=\"SUBMIT\"/></td>\n"); out.write(" </tr>\n"); out.write(" </tbody>\n"); out.write(" </table> \n"); out.write(" </form>\n"); out.write(" <h1>Check your Fines Here</h1>\n"); out.write(" <form name=\"Fines\" action=\"Fines.jsp\">\n"); out.write(" <table border=\"0\" width=\"3\" cellspacing=\"2\">\n"); out.write(" <thead>\n"); out.write(" <tr>\n"); out.write(" <th>Get Fine Details</th>\n"); out.write(" <th></th>\n"); out.write(" </tr>\n"); out.write(" </thead>\n"); out.write(" <tbody>\n"); out.write(" <tr>\n"); out.write(" <td>Card No</td>\n"); out.write( " <td><input type=\"text\" name=\"Card_no\" value=\"\"/></td>\n"); out.write(" </tr>\n"); out.write(" <tr>\n"); out.write(" <td></td>\n"); out.write( " <td><input type=\"submit\" value=\"Get Fines\" name=\"SUBMIT\" /></td>\n"); out.write(" </tr>\n"); out.write(" </tbody>\n"); out.write(" </table> \n"); out.write(" "); Connection con = null; String[] selected_Checkboxes = request.getParameterValues("chk"); PreparedStatement pst = null; ResultSet result = null; ResultSet resUpd = null; con = DriverManager.getConnection( "jdbc:mysql://localhost:3306/lbms_db?zeroDateTimeBehavior=convertToNull", "root", "admin12"); String Card_no = request.getParameter("Card_no"); String button = null; Date dt = new Date(); SimpleDateFormat sdf = new SimpleDateFormat("yyyy/MM/dd"); String current_date = sdf.format(dt); if (Card_no != null && selected_Checkboxes == null) { String selSql = "SELECT l.card_no, SUM(f.fine_amt) AS total_fine, f.paid " + "FROM book_loans l, fines f " + "WHERE l.loan_id = f.loan_id AND " + "l.card_no = " + Card_no + " " + "GROUP BY l.card_no"; pst = con.prepareStatement(selSql); result = pst.executeQuery(); String box = null; String paid; String pay; Boolean chk = false; out.println("<table>"); pay = "<form action='Fines.jsp'>"; out.println(pay); out.println("<tr>"); out.println("<th>Card No</th>"); out.println("<th>Fine_Amt</th>"); out.println("<th>Paid OR Not</th>"); out.println("</tr>"); while (result.next()) { chk = true; paid = "No"; if (result.getBoolean("f.paid")) { paid = "Yes"; } out.println("<tr>"); out.println( "<td>" + result.getInt("l.card_no") + "</td><td>" + result.getString("total_fine") + "</td><td>" + paid + "</td>"); out.print("<td>"); box = "<input name='chk' value=" + result.getInt("l.card_no") + " type='checkbox'>"; out.print(box); out.print("</td>"); out.print("</tr>"); } if (chk == true) { out.println("<tr>"); out.print("<td>"); button = "<input type='submit' value='Pay Fine' name='Pay'>"; out.print(button); out.print("</td>"); out.println("</tr>"); } else { out.write( "<dialog open> <font color = 'green'>No Fine information. You owe nothing! Thank You</font> </dialog>"); } out.println("</form>"); out.println("</table>"); } else if (selected_Checkboxes != null) { String sqlLoan = null; ResultSet resultLoan = null; String sqlUpdFine = null; PreparedStatement pstUpd = null; String sqlBook = null; ResultSet rsltBook = null; char chkouts = 'N'; int length_chk = selected_Checkboxes.length; for (int i = 0; i < length_chk; i++) { // Check whether the Book is returned before paying the fine. sqlBook = "SELECT COUNT(loan_id) AS no_chkouts FROM book_loans WHERE card_no = " + selected_Checkboxes[i] + " AND date_in = '0000-00-00' AND due_date < " + current_date + ""; pst = con.prepareStatement(sqlBook); rsltBook = pst.executeQuery(); while (rsltBook.next()) { if (rsltBook.getInt("no_chkouts") > 0) { chkouts = 'Y'; } } if (chkouts == 'Y') { out.write( "<dialog open> <font color = 'red'>You have outstanding due checkouts!. Please return the books and then Pay the fine</font> </dialog>"); } // Get the corresponding loan_Ids for each customer from Fines table sqlLoan = "SELECT loan_id FROM book_loans WHERE card_no = " + selected_Checkboxes[i] + " AND date_in IS NOT NULL AND due_date < date_in"; pst = con.prepareStatement(sqlLoan); resultLoan = pst.executeQuery(); while (resultLoan.next()) { sqlUpdFine = "UPDATE fines SET paid = true WHERE loan_id = " + resultLoan.getInt("loan_id") + ""; pstUpd = con.prepareStatement(sqlUpdFine); pstUpd.executeUpdate(); out.println("Payment Updated Successfully"); } } } out.write("\n"); out.write(" </form> \n"); out.write(" </center>\n"); out.write("</body>\n"); out.write("</html>\n"); } catch (Throwable t) { if (!(t instanceof SkipPageException)) { out = _jspx_out; if (out != null && out.getBufferSize() != 0) out.clearBuffer(); if (_jspx_page_context != null) _jspx_page_context.handlePageException(t); else throw new ServletException(t); } } finally { _jspxFactory.releasePageContext(_jspx_page_context); } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void goodB2G2() throws Throwable { String data; if (5 == 5) { data = ""; /* Initialize data */ { File file = new File("C:\\data.txt"); FileInputStream streamFileInput = null; InputStreamReader readerInputStream = null; BufferedReader readerBuffered = null; try { /* read string from file into data */ streamFileInput = new FileInputStream(file); readerInputStream = new InputStreamReader(streamFileInput, "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data from a file */ /* This will be reading the first "line" of the file, which * could be very long if there are little or no newlines in the file */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInput != null) { streamFileInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (5 == 5) { Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and executeUpdate (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement( "insert into users (status) values ('updated') where name=?"); sqlStatement.setString(1, data); int rowCount = sqlStatement.executeUpdate(); IO.writeLine("Updated " + rowCount + " rows successfully."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } }