/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String username = request.getParameter("username");
String password = request.getParameter("password");
Statement stmt;
ResultSet rs;
Connection con = null;
try {
Class.forName("com.mysql.jdbc.Driver");
String connectionUrl = "jdbc:mysql://localhost/myflickr?" + "user=root&password=123456";
con = DriverManager.getConnection(connectionUrl);
if (con != null) {
System.out.println("connected to mysql");
}
} catch (SQLException e) {
System.out.println("SQL Exception: " + e.toString());
} catch (ClassNotFoundException cE) {
System.out.println("Class Not Found Exception: " + cE.toString());
}
try {
stmt = con.createStatement();
System.out.println("SELECT * FROM flickrusers WHERE name='" + username + "'");
rs = stmt.executeQuery("SELECT * FROM flickrusers WHERE name='" + username + "'");
while (rs.next()) {
if (rs.getObject(1).toString().equals(username)) {
out.println("<h1>To username pou epileksate uparxei hdh</h1>");
out.println("<a href=\"project3.html\">parakalw dokimaste kapoio allo.</a>");
stmt.close();
rs.close();
return;
}
}
stmt.close();
rs.close();
stmt = con.createStatement();
if (!stmt.execute("INSERT INTO flickrusers VALUES('" + username + "', '" + password + "')")) {
out.println("<h1>Your registration is completed " + username + "</h1>");
out.println("<a href=\"index.jsp\">go to the login menu</a>");
registerListener.Register(username);
} else {
out.println("<h1>To username pou epileksate uparxei hdh</h1>");
out.println("<a href=\"project3.html\">Register</a>");
}
} catch (SQLException e) {
throw new ServletException("Servlet Could not display records.", e);
}
}
/**
* Determine whether or a not a User with the supplied researcherID exists
*
* @param username The researcherID to test
* @return true if the user exists, false if not
* @throws SQLException if a database error was encountered
*/
public static boolean userExists(int researcherID) throws SQLException {
boolean returnVal = false;
// Get our connection to the database.
Connection conn = DBConnectionManager.getConnection("yrc");
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt = conn.prepareStatement("SELECT researcherID FROM tblUsers WHERE researcherID = ?");
stmt.setInt(1, researcherID);
rs = stmt.executeQuery();
// No rows returned.
if (!rs.next()) {
returnVal = false;
} else {
returnVal = true;
}
rs.close();
rs = null;
stmt.close();
stmt = null;
conn.close();
conn = null;
} finally {
// Always make sure result sets and statements are closed,
// and the connection is returned to the pool
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {;
}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {;
}
stmt = null;
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {;
}
conn = null;
}
}
return returnVal;
}
public String checkValidLogin(String myUserName, String myPW) {
try {
Class.forName(javaSQLDriverPath);
Connection conn =
(Connection) DriverManager.getConnection(ConnectionPath, ConnectionUser, ConnectionPW);
Statement st = conn.createStatement();
String query = "Select * from User";
ResultSet rs = st.executeQuery(query);
while (rs.next()) {
// return rs.getString("Username");
if (myUserName.equals(rs.getString("Username"))) {
if (myPW.equals(rs.getString("Password"))) {
setUserVariables(myUserName);
return "success";
} else {
return "wrongPassword";
}
}
}
rs.close();
st.close();
conn.close();
return "userNotFound";
} catch (Exception e) {
return e.getMessage();
}
}
/* goodB2G1() - use badsource and goodsink by changing second IO.staticTrue to IO.staticFalse */
private void goodB2G1() throws Throwable {
String data;
if (IO.staticTrue) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticFalse) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B() throws Throwable {
String data_copy;
{
String data;
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
data_copy = data;
}
{
String data = data_copy;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
ResultSet sqlrs = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String dataCopy;
{
String data;
/* FIX: Use a hardcoded string */
data = "foo";
dataCopy = data;
}
{
String data = dataCopy;
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public ActionForward execute(
ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res)
throws Exception {
ServiceDataForm obj = (ServiceDataForm) form;
String serviceId = obj.getServiceId();
CalculateService obj2 = new CalculateService();
obj2.calculate(serviceId);
Connection con = null;
Class.forName(ConnectionStats.DRIVER);
String url = ConnectionStats.DB_URL;
String usr = ConnectionStats.DB_USER;
String pwd = ConnectionStats.DB_PASSWORD;
con = DriverManager.getConnection(url, usr, pwd);
Statement stmt = con.createStatement();
ResultSet rs = null;
rs = stmt.executeQuery("select * from " + serviceId + "_main");
ResultSetMetaData rsmd = rs.getMetaData();
int col = rsmd.getColumnCount();
String[] mainHeader = new String[col];
for (int i = 0; i < col; i++) {
mainHeader[i] = rsmd.getColumnLabel(i + 1);
}
ArrayList<String[]> serviceDataMain = new ArrayList<String[]>();
while (rs.next()) {
String[] str = new String[col];
for (int i = 0; i < col; i++) {
str[i] = rs.getString(i + 1);
}
serviceDataMain.add(str);
}
req.setAttribute("mainHeader", mainHeader);
req.setAttribute("serviceDataMain", serviceDataMain);
rs = stmt.executeQuery("select * from " + serviceId + "_tbl");
rsmd = rs.getMetaData();
col = rsmd.getColumnCount();
String[] tblHeader = new String[col];
for (int i = 0; i < col; i++) {
tblHeader[i] = rsmd.getColumnLabel(i + 1);
}
ArrayList<String[]> serviceDatatbl = new ArrayList<String[]>();
while (rs.next()) {
String[] str = new String[col];
for (int i = 0; i < col; i++) {
str[i] = rs.getString(i + 1);
}
serviceDatatbl.add(str);
}
req.setAttribute("tblHeader", tblHeader);
req.setAttribute("serviceDatatbl", serviceDatatbl);
rs.close();
con.close();
return mapping.findForward("success");
}
/* goodG2B1() - use goodsource and badsink by changing first IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
private void goodG2B1() throws Throwable {
String data;
if (IO.STATIC_FINAL_FIVE != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.STATIC_FINAL_FIVE == 5) {
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public void bad() throws Throwable {
String data;
if (IO.staticTrue) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticTrue) {
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
public void goodB2G1Sink(String data) throws Throwable {
if (CWE89_SQL_Injection__connect_tcp_executeQuery_22a.goodB2G1PublicStatic) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
private void goodB2G1Sink(String data) throws Throwable {
if (goodB2G1Private) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// get a connection
ConnectionPool pool = ConnectionPool.getInstance();
Connection connection = pool.getConnection();
String sqlStatement = request.getParameter("sqlStatement");
String sqlResult = "";
try {
// create a statement
Statement statement = connection.createStatement();
// parse the SQL string
sqlStatement = sqlStatement.trim();
if (sqlStatement.length() >= 6) {
String sqlType = sqlStatement.substring(0, 6);
if (sqlType.equalsIgnoreCase("select")) {
// create the HTML for the result set
ResultSet resultSet = statement.executeQuery(sqlStatement);
sqlResult = SQLUtil.getHtmlTable(resultSet);
resultSet.close();
} else {
int i = statement.executeUpdate(sqlStatement);
if (i == 0) {
sqlResult = "<p>The statement executed successfully.</p>";
} else { // an INSERT, UPDATE, or DELETE statement
sqlResult = "<p>The statement executed successfully.<br>" + i + " row(s) affected.</p>";
}
}
}
statement.close();
connection.close();
} catch (SQLException e) {
sqlResult = "<p>Error executing the SQL statement: <br>" + e.getMessage() + "</p>";
} finally {
pool.freeConnection(connection);
}
HttpSession session = request.getSession();
session.setAttribute("sqlResult", sqlResult);
session.setAttribute("sqlStatement", sqlStatement);
String url = "/index.jsp";
getServletContext().getRequestDispatcher(url).forward(request, response);
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
ResultSet sqlrs = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.prepareStatement("select * from users where name=?");
sqlstatement.setString(1, data);
sqlrs = sqlstatement.executeQuery();
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
ResultSet sqlrs = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodB2G() - use BadSource and GoodSink */
public void goodB2GSink(HashMap<Integer, String> dataHashMap) throws Throwable {
String data = dataHashMap.get(2);
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B() - use GoodSource and BadSink */
public void goodG2BSink(HashMap<Integer, String> dataHashMap) throws Throwable {
String data = dataHashMap.get(2);
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Statement question;
String query;
ResultSet answer;
connect();
try {
query = "SELECT * FROM PILOT WHERE Address ='" + request.getParameter("city") + "'";
question = link.createStatement();
answer = question.executeQuery(query);
PrintWriter pen;
response.setContentType("text/html");
pen = response.getWriter();
pen.println("<HTML>");
pen.println("<HEAD> <TITLE> Answer </TITLE> </HEAD>");
pen.println("<BODY>");
while (answer.next()) {
String pN = answer.getString("PilotNumber");
String lN = answer.getString("LastName");
String fN = answer.getString("FirstName");
String ad = answer.getString("Address");
float sa = answer.getFloat("Salary");
float pr = answer.getFloat("Premium");
Date hD = answer.getDate("HiringDate");
if (answer.wasNull() == false) {
pen.println("<P><B> Pilot : </B>" + lN + " " + fN);
pen.println("<P><B> ---Reference : </B>" + pN);
pen.println("<P><B> ---Address : </B>" + ad);
pen.println("<P><B> ---Salary : </B>" + sa);
pen.println("<P><B> ---since : </B>" + hD);
if (pr > 0) pen.println("<P><B> ---Premium : </B>" + pr);
else pen.println("<P><B> ---No premium </B>");
}
}
pen.println("</BODY>");
pen.println("</HTML>");
answer.close();
question.close();
link.close();
} catch (SQLException e) {
System.out.println("Connection error: " + e.getMessage());
}
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String dbUser = "******"; // enter your username here
String dbPassword = "******"; // enter your password here
try {
OracleDataSource ods = new oracle.jdbc.pool.OracleDataSource();
ods.setURL("jdbc:oracle:thin:@//w4111b.cs.columbia.edu:1521/ADB");
ods.setUser(dbUser);
ods.setPassword(dbPassword);
Connection conn = ods.getConnection();
String query = new String();
Statement s = conn.createStatement();
query = "select * from events";
ResultSet r = s.executeQuery(query);
while (r.next()) {
out.println("Today's Date: " + r.getString(1) + " ");
}
r.close();
s.close();
conn.close();
} catch (Exception e) {
out.println("The database could not be accessed.<br>");
out.println("More information is available as follows:<br>");
e.printStackTrace(out);
}
} // end doGet method
/* goodB2G() - use badsource and goodsink */
private void goodB2G() throws Throwable {
String data_copy;
{
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
/* read user input from console with readLine*/
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
data = buffread.readLine();
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
data_copy = data;
}
{
String data = data_copy;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
ResultSet sqlrs = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.prepareStatement("select * from users where name=?");
sqlstatement.setString(1, data);
sqlrs = sqlstatement.executeQuery();
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
(new CWE89_SQL_Injection__getQueryStringServlet_executeUpdate_53b())
.bad_sink(data, request, response);
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
switch (6) {
case 6:
{
data = "pass";
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
java.util.logging.Logger log_good_source =
java.util.logging.Logger.getLogger("local-logger");
BufferedReader bufread2 = null;
InputStreamReader inread2 = null;
Properties prop = new Properties();
IO.writeLine("Enter the password: "******"";
try {
inread2 = new InputStreamReader(System.in);
bufread2 = new BufferedReader(inread2);
/* FIX: password is read from stdin */
data = bufread2.readLine();
} catch (Exception e) {
log_good_source.warning("Exception in try");
} finally {
try {
if (bufread2 != null) {
bufread2.close();
}
} catch (IOException e) {
log_good_source.warning("Error closing bufread2");
} finally {
try {
if (inread2 != null) {
inread2.close();
}
} catch (IOException e) {
log_good_source.warning("Error closing inread2");
}
}
}
}
break;
}
java.util.logging.Logger log2 = java.util.logging.Logger.getLogger("local-logger");
Connection conn2 = null;
PreparedStatement st = null;
ResultSet rs2 = null;
String pw = data;
try {
/* POTENTIAL FLAW: use of hard-coded password */
conn2 = DriverManager.getConnection("data-url", "root", pw);
st = conn2.prepareStatement("select * from test_table");
rs2 = st.executeQuery();
} catch (SQLException e) {
log2.warning("Error with database connection");
} finally {
try {
if (rs2 != null) {
rs2.close();
}
} catch (SQLException e) {
log2.warning("Error closing rs2");
} finally {
try {
if (st != null) {
st.close();
}
} catch (SQLException e) {
log2.warning("Error closing st");
} finally {
try {
if (conn2 != null) {
conn2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn2");
}
}
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
{
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */
}
}
if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
We need the "if(true)" because the Java Language Spec requires that
unreachable code generate a compiler error */
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */
}
}
}
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
// create the workbook, its worksheet, and its title row
Workbook workbook = new HSSFWorkbook();
Sheet sheet = workbook.createSheet("User table");
Row row = sheet.createRow(0);
row.createCell(0).setCellValue("The User table");
// create the header row
row = sheet.createRow(2);
row.createCell(0).setCellValue("UserID");
row.createCell(1).setCellValue("LastName");
row.createCell(2).setCellValue("FirstName");
row.createCell(3).setCellValue("Email");
try {
// read database rows
ConnectionPool pool = ConnectionPool.getInstance();
Connection connection = pool.getConnection();
Statement statement = connection.createStatement();
String query = "SELECT * FROM User ORDER BY UserID";
ResultSet results = statement.executeQuery(query);
// create spreadsheet rows
int i = 3;
while (results.next()) {
row = sheet.createRow(i);
row.createCell(0).setCellValue(results.getInt("UserID"));
row.createCell(1).setCellValue(results.getString("LastName"));
row.createCell(2).setCellValue(results.getString("FirstName"));
row.createCell(3).setCellValue(results.getString("Email"));
i++;
}
results.close();
statement.close();
connection.close();
} catch (SQLException e) {
this.log(e.toString());
}
// set response object headers
response.setHeader("content-disposition", "attachment; filename=users.xls");
response.setHeader("cache-control", "no-cache");
// get the output stream
String encodingString = request.getHeader("accept-encoding");
OutputStream out;
if (encodingString != null && encodingString.contains("gzip")) {
out = new GZIPOutputStream(response.getOutputStream());
response.setHeader("content-encoding", "gzip");
// System.out.println("User table encoded with gzip");
} else {
out = response.getOutputStream();
// System.out.println("User table not encoded with gzip");
}
// send the workbook to the browser
workbook.write(out);
out.close();
}
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String username = request.getParameter("username");
String password = request.getParameter("password");
Statement stmt;
ResultSet rs;
if (username == null || password == null) {
out.println("<h1>Invalid Register Request</h1>");
out.println("<a href=\"register.html\">Register</a>");
return;
}
Connection con = null;
try {
Class.forName("com.mysql.jdbc.Driver");
String connectionUrl = "jdbc:mysql://localhost/project3?" + "user=root&password=marouli";
con = DriverManager.getConnection(connectionUrl);
if (con != null) {
System.out.println("Ola ok me mysql");
}
} catch (SQLException e) {
System.out.println("SQL Exception: " + e.toString());
} catch (ClassNotFoundException cE) {
System.out.println("Class Not Found Exception: " + cE.toString());
}
try {
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT * FROM users WHERE username='******'");
if (rs.next()) {
out.println("<h1>Username exists</h1>");
out.println("<a href=\"register.html\">Register</a>");
stmt.close();
rs.close();
con.close();
return;
}
stmt.close();
rs.close();
stmt = con.createStatement();
if (!stmt.execute("INSERT INTO users VALUES('" + username + "', '" + password + "')")) {
out.println("<h1>You are now registered " + username + "</h1>");
out.println("<a href=\"index.jsp\">Login</a>");
int i;
for (i = 0; i < listeners.size(); i++) listeners.get(i).UserRegistered(username);
} else {
out.println("<h1>Could not add your username to the db</h1>");
out.println("<a href=\"register.html\">Register</a>");
}
stmt.close();
con.close();
} catch (SQLException e) {
throw new ServletException("Servlet Could not display records.", e);
}
}
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
resp.setContentType("text/html");
PrintWriter out = resp.getWriter();
PreparedStatement pstmt = null;
Statement stmt = null;
ResultSet rs = null;
HttpSession session = SystemUtils.verifyMem(req, out); // check for intruder
if (session == null) return;
Connection con = Connect.getCon(req); // get DB connection
if (con == null) {
resp.setContentType("text/html");
out.println(SystemUtils.HeadTitle("DB Connection Error"));
out.println("<BODY><CENTER><BR>");
out.println("<BR><BR><H3>Database Connection Error</H3>");
out.println("<BR><BR>Unable to connect to the Database.");
out.println("<BR>Please try again later.");
out.println("<BR><BR>If problem persists, contact customer support.");
out.println("<BR><BR>");
out.println("<a href=\"javascript:history.back(1)\">Return</a>");
out.println("</CENTER></BODY></HTML>");
out.close();
return;
}
//
// Get needed vars out of session obj
//
String club = (String) session.getAttribute("club");
String user = (String) session.getAttribute("user");
String caller = (String) session.getAttribute("caller");
int activity_id = (Integer) session.getAttribute("activity_id");
int foretees_mode = 0;
String stype_id = req.getParameter("type_id");
int type_id = 0;
String sgroup_id = req.getParameter("group_id");
int group_id = 0;
String sitem_id = req.getParameter("item_id");
int item_id = 0;
try {
type_id = Integer.parseInt(stype_id);
} catch (NumberFormatException ignore) {
}
try {
group_id = Integer.parseInt(sgroup_id);
} catch (NumberFormatException ignore) {
}
try {
item_id = Integer.parseInt(sitem_id);
} catch (NumberFormatException ignore) {
}
out.println(
"<!-- type_id=" + type_id + ", group_id=" + group_id + ", item_id=" + item_id + " -->");
//
// START PAGE OUTPUT
//
out.println(SystemUtils.HeadTitle("Member Acivities"));
out.println("<style>");
out.println(".actLink { color: black }");
out.println(".actLink:hover { color: #336633 }");
// out.println(".playerTD {width:125px}");
out.println("</style>");
out.println(
"<body bgcolor=\"#CCCCAA\" text=\"#000000\" link=\"#336633\" vlink=\"#8B8970\" alink=\"#8B8970\">");
SystemUtils.getMemberSubMenu(req, out, caller); // required to allow submenus on this page
//
// DISPLAY A LIST OF AVAILABLE ACTIVITIES
//
out.println(
"<p align=center><b><font size=5 color=#336633><BR><BR>Available Activities</font></b></p>");
out.println(
"<p align=center><b><font size=3 color=#000000>Select your desired activity from the list below.<br>NOTE: You can set your default activity under <a href=\"Member_services\" class=actLink>Settings</a>.</font></b></p>");
out.println("<table align=center>");
try {
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT foretees_mode FROM club5 WHERE clubName <> '';");
if (rs.next()) {
foretees_mode = rs.getInt(1);
}
// if they have foretees then give a link in to the golf system
if (foretees_mode != 0) {
out.println(
"<tr><td align=center><b><a href=\"Member_jump?switch&activity_id=0\" class=linkA style=\"color:#336633\" target=_top>Golf</a></b></td></tr>"); // ForeTees
}
// build a link to any activities they have access to
rs =
stmt.executeQuery(
"SELECT * FROM activities " + "WHERE parent_id = 0 " + "ORDER BY activity_name");
while (rs.next()) {
out.println(
"<tr><td align=center><b><a href=\"Member_jump?switch&activity_id="
+ rs.getInt("activity_id")
+ "\" class=linkA style=\"color:#336633\" target=_top>"
+ rs.getString("activity_name")
+ "</a></b></td></tr>");
}
stmt.close();
} catch (Exception exc) {
out.println("<p>ERROR:" + exc.toString() + "</p>");
} finally {
try {
rs.close();
} catch (Exception ignore) {
}
try {
stmt.close();
} catch (Exception ignore) {
}
}
out.println("</table>");
out.println("</body></html>");
/*
out.println("<script>");
out.println("function load_types() {");
out.println(" try {document.forms['frmSelect'].item_id.selectedIndex = -1; } catch (err) {}");
out.println(" document.forms['frmSelect'].group_id.selectedIndex = -1;");
out.println(" document.forms['frmSelect'].submit();");
out.println("}");
out.println("function load_groups() {");
out.println(" document.forms['frmSelect'].submit();");
out.println("}");
out.println("function load_times(id) {");
out.println(" top.bot.location.href='Member_gensheets?id=' + id;");
out.println("}");
out.println("</script>");
out.println("<form name=frmSelect>");
// LOAD ACTIVITY TYPES
out.println("<select name=type_id onchange=\"load_types()\">");
if (type_id == 0) {
out.println("<option>CHOOSE TYPE</option>");
}
try {
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT * FROM activities WHERE parent_id = 0");
while (rs.next()) {
Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), type_id, out);
}
stmt.close();
} catch (Exception exc) {
out.println("<p>ERROR:" + exc.toString() + "</p>");
}
out.println("");
out.println("</select>");
// LOAD ACTIVITIES BY GROUP TYPE
out.println("<select name=group_id onchange=\"load_groups()\">");
if (type_id == 0) {
out.println("<option>CHOOSE TYPE</option>");
} else {
try {
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT activity_id, activity_name FROM activities WHERE parent_id = " + type_id);
rs.last();
if (rs.getRow() == 1) {
group_id = rs.getInt("activity_id");
out.println("<!-- ONLY FOUND 1 GROUP -->");
} else {
out.println("<option value=\"0\">CHOOSE...</option>");
}
rs.beforeFirst();
while (rs.next()) {
Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), group_id, out);
}
stmt.close();
} catch (Exception exc) {
out.println("<p>ERROR:" + exc.toString() + "</p>");
}
}
out.println("");
out.println("</select>");
boolean do_load = false;
if (group_id > 0 ) { //|| sitem_id != null
// LOAD ACTIVITIES BY ITEM TYPE
try {
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT activity_id, activity_name FROM activities WHERE parent_id = " + group_id);
rs.last();
if (rs.getRow() == 0) {
// no sub groups found
do_load = true;
item_id = group_id;
} else if (rs.getRow() == 1) {
// single sub group found (pre select it)
item_id = rs.getInt("activity_id");
out.println("<!-- ONLY FOUND 1 ITEM -->");
} else {
out.println("<select name=item_id onchange=\"load_times(this.options[this.selectedIndex].value)\">");
out.println("<option value=\"0\">CHOOSE...</option>");
}
if (!do_load) {
rs.beforeFirst();
while (rs.next()) {
Common_Config.buildOption(rs.getInt("activity_id"), rs.getString("activity_name"), item_id, out);
}
}
stmt.close();
out.println("");
out.println("</select>");
} catch (Exception exc) {
out.println("<p>ERROR:" + exc.toString() + "</p>");
}
}
out.println("</form>");
out.println("<p><a href=\"Member_genrez\">Reset</a></p>");
try {
con.close();
} catch (Exception ignore) {}
if (do_load) out.println("<script>load_times(" + item_id + ")</script>");
//out.println("<iframe name=ifSheet src=\"\" style=\"width:640px height:480px\"></iframe>");
*/
out.close();
}
/**
* Determine whether or a not a Researcher with the supplied email exists
*
* @param email The email to test
* @return The researcher ID of the researcher if it exists, -1 if it doesn't
* @throws SQLException if a database error was encountered
*/
public static int emailExists(String email) throws SQLException {
int returnVal = -1;
if (email == null || email.equals("")) {
return -1;
}
// Get our connection to the database.
Connection conn = DBConnectionManager.getConnection("yrc");
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt =
conn.prepareStatement(
"SELECT researcherID FROM tblResearchers WHERE researcherEmail = ?");
stmt.setString(1, email);
rs = stmt.executeQuery();
// No rows returned.
if (!rs.next()) {
returnVal = -1;
} else {
returnVal = rs.getInt("researcherID");
}
rs.close();
rs = null;
stmt.close();
stmt = null;
conn.close();
conn = null;
} finally {
// Always make sure result sets and statements are closed,
// and the connection is returned to the pool
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {;
}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {;
}
stmt = null;
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {;
}
conn = null;
}
}
return returnVal;
}
/**
* Get a populated User object corresponding to a username.
*
* @param username The username to test
* @return The User object corresponding to that username.
* @throws NoSuchUserException if that username does not exist.
* @throws SQLException if a database error was encountered.
*/
public static User getUser(String username) throws NoSuchUserException, SQLException {
// The User to return
User theUser;
// Make sure the username isn't null
if (username == null) {
throw new NoSuchUserException("got null for username in UserUtils.getUser");
}
// Get our connection to the database.
Connection conn = DBConnectionManager.getConnection("yrc");
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt = conn.prepareStatement("SELECT researcherID FROM tblUsers WHERE username = ?");
stmt.setString(1, username);
rs = stmt.executeQuery();
// No rows returned.
if (!rs.next()) {
throw new NoSuchUserException("Username not found.");
}
theUser = new User();
try {
theUser.load(rs.getInt("researcherID"));
} catch (InvalidIDException e) {
throw new NoSuchUserException(
"Somehow, we got an invalid ID ("
+ rs.getInt("researcherID")
+ ") after we got the ID from the username... This can't be good.");
}
rs.close();
rs = null;
stmt.close();
stmt = null;
conn.close();
conn = null;
} finally {
// Always make sure result sets and statements are closed,
// and the connection is returned to the pool
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {;
}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {;
}
stmt = null;
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {;
}
conn = null;
}
}
return theUser;
}
/** Business logic to execute. */
public final Response executeCommand(
Object inputPar,
UserSessionParameters userSessionPars,
HttpServletRequest request,
HttpServletResponse response,
HttpSession userSession,
ServletContext context) {
String serverLanguageId = ((JAIOUserSessionParameters) userSessionPars).getServerLanguageId();
Connection conn = null;
Statement stmt = null;
try {
conn = ConnectionManager.getConnection(context);
// fires the GenericEvent.CONNECTION_CREATED event...
EventsManager.getInstance()
.processEvent(
new GenericEvent(
this,
getRequestName(),
GenericEvent.CONNECTION_CREATED,
(JAIOUserSessionParameters) userSessionPars,
request,
response,
userSession,
context,
conn,
inputPar,
null));
java.util.List list = (ArrayList) inputPar;
HierarItemDiscountVO vo = null;
ResultSet rset = null;
stmt = conn.createStatement();
for (int i = 0; i < list.size(); i++) {
vo = (HierarItemDiscountVO) list.get(i);
vo.setDiscountTypeSAL03(ApplicationConsts.DISCOUNT_CUSTOMER);
// retrieve COMPANY_CODE from progressiveHIE01...
rset =
stmt.executeQuery(
"select COMPANY_CODE_SYS01 from ITM02_ITEM_TYPES where PROGRESSIVE_HIE02 in "
+ "(select PROGRESSIVE_HIE02 from HIE01_LEVELS where PROGRESSIVE="
+ vo.getProgressiveHie01SAL05()
+ ")");
if (rset.next()) vo.setCompanyCodeSys01SAL03(rset.getString(1));
else {
rset.close();
conn.rollback();
return new ErrorResponse("Item hierarchy not found.");
}
rset.close();
DiscountBean.insertDiscount(conn, vo);
stmt.execute(
"insert into SAL05_ITEM_HIERAR_DISCOUNTS(COMPANY_CODE_SYS01,PROGRESSIVE_HIE01,DISCOUNT_CODE_SAL03) "
+ "values('"
+ vo.getCompanyCodeSys01SAL03()
+ "',"
+ vo.getProgressiveHie01SAL05()
+ ",'"
+ vo.getDiscountCodeSAL03()
+ "')");
}
Response answer = new VOListResponse(list, false, list.size());
// fires the GenericEvent.BEFORE_COMMIT event...
EventsManager.getInstance()
.processEvent(
new GenericEvent(
this,
getRequestName(),
GenericEvent.BEFORE_COMMIT,
(JAIOUserSessionParameters) userSessionPars,
request,
response,
userSession,
context,
conn,
inputPar,
answer));
conn.commit();
// fires the GenericEvent.AFTER_COMMIT event...
EventsManager.getInstance()
.processEvent(
new GenericEvent(
this,
getRequestName(),
GenericEvent.AFTER_COMMIT,
(JAIOUserSessionParameters) userSessionPars,
request,
response,
userSession,
context,
conn,
inputPar,
answer));
return answer;
} catch (Throwable ex) {
Logger.error(
userSessionPars.getUsername(),
this.getClass().getName(),
"executeCommand",
"Error while inserting hierarchy item discounts",
ex);
try {
conn.rollback();
} catch (Exception ex3) {
}
return new ErrorResponse(ex.getMessage());
} finally {
try {
stmt.close();
} catch (Exception ex2) {
}
try {
ConnectionManager.releaseConnection(conn, context);
} catch (Exception ex1) {
}
}
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
HttpSession session = request.getSession(true);
try {
Object accountObject = session.getValue(ACCOUNT);
// If no account object was put in the session, or
// if one exists but it is not a hashtable, then
// redirect the user to the original login page
if (accountObject == null)
throw new RuntimeException("You need to log in to use this service!");
if (!(accountObject instanceof Hashtable))
throw new RuntimeException("You need to log in to use this service!");
Hashtable account = (Hashtable) accountObject;
String userName = (String) account.get("name");
//////////////////////////////////////////////
// Display Messages for the user who logged in
//////////////////////////////////////////////
out.println("<HTML>");
out.println("<HEAD>");
out.println("<TITLE>Contacts for " + userName + "</TITLE>");
out.println("</HEAD>");
out.println("<BODY BGCOLOR='#EFEFEF'>");
out.println("<H3>Welcome " + userName + "</H3>");
out.println("<CENTER>");
Connection con = null;
Statement stmt = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver").newInstance();
con =
DriverManager.getConnection(
"jdbc:mysql://localhost/contacts?user=kareena&password=kapoor");
stmt = con.createStatement();
rs =
stmt.executeQuery(
"SELECT * FROM contacts WHERE userName='******' ORDER BY contactID");
out.println("<form name='deleteContactsForm' method='post' action='deleteContact'>");
out.println("<TABLE BGCOLOR='#EFEFFF' CELLPADDING='2' CELLSPACING='4' BORDER='1'>");
out.println("<TR BGCOLOR='#D6DFFF'>");
out.println("<TD ALIGN='center'><B>Contact ID</B></TD>");
out.println("<TD ALIGN='center'><B>Contact Name</B></TD>");
out.println("<TD ALIGN='center'><B>Comment</B></TD>");
out.println("<TD ALIGN='center'><B>Date</B></TD>");
out.println("<TD ALIGN='center'><B>Delete Contacts</B></TD>");
out.println("</TR>");
int nRows = 0;
while (rs.next()) {
nRows++;
String messageID = rs.getString("contactID");
String fromUser = rs.getString("contactName");
String message = rs.getString("comments");
String messageDate = rs.getString("dateAdded");
out.println("<TR>");
out.println("<TD>" + messageID + "</TD>");
out.println("<TD>" + fromUser + "</TD>");
out.println("<TD>" + message + "</TD>");
out.println("<TD>" + messageDate + "</TD>");
out.println(
"<TD><input type='checkbox' name='msgList' value='" + messageID + "'> Delete</TD>");
out.println("</TR>");
}
out.println("<TR>");
out.println(
"<TD COLSPAN='6' ALIGN='center'><input type='submit' value='Delete Selected Contacts'></TD>");
out.println("</TR>");
out.println("</TABLE>");
out.println("</FORM>");
} catch (Exception e) {
out.println("Could not connect to the users database.<P>");
out.println("The error message was");
out.println("<PRE>");
out.println(e.getMessage());
out.println("</PRE>");
} finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException ignore) {
}
}
if (stmt != null) {
try {
stmt.close();
} catch (SQLException ignore) {
}
}
if (con != null) {
try {
con.close();
} catch (SQLException ignore) {
}
}
}
out.println("</CENTER>");
out.println("</BODY>");
out.println("</HTML>");
} catch (RuntimeException e) {
out.println("<script language=\"javascript\">");
out.println("alert(\"You need to log in to use this service!\");");
out.println("</script>");
out.println("<a href='index.html'>Click Here</a> to go to the main page.<br><br>");
out.println(
"Or Click on the button to exit<FORM><INPUT onClick=\"javascipt:window.close()\" TYPE=\"BUTTON\" VALUE=\"Close Browser\" TITLE=\"Click here to close window\" NAME=\"CloseWindow\" STYLE=\"font-family:Verdana, Arial, Helvetica; font-size:smaller; font-weight:bold\"></FORM>");
log(e.getMessage());
return;
}
}
public void bad() throws Throwable {
String data_copy;
{
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
/* read user input from console with readLine*/
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
data = buffread.readLine();
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
data_copy = data;
}
{
String data = data_copy;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
ResultSet sqlrs = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
}
