/* goodG2B() - use GoodSource and BadSink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* FIX: Use a hardcoded string */
data = "foo";
CWE113_HTTP_Response_Splitting__database_setHeaderServlet_81_base baseObject =
new CWE113_HTTP_Response_Splitting__database_setHeaderServlet_81_goodG2B();
baseObject.action(data, request, response);
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
data = ""; /* Initialize data */
/* Read data from a database */
{
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
/* setup the connection */
connection = IO.getDBConnection();
/* prepare and execute a (hardcoded) query */
preparedStatement = connection.prepareStatement("select name from users where id=0");
resultSet = preparedStatement.executeQuery();
/* POTENTIAL FLAW: Read data from a database query resultset */
data = resultSet.getString(1);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql);
} finally {
/* Close database objects */
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (preparedStatement != null) {
preparedStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (connection != null) {
connection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
CWE113_HTTP_Response_Splitting__database_setHeaderServlet_81_base baseObject =
new CWE113_HTTP_Response_Splitting__database_setHeaderServlet_81_bad();
baseObject.action(data, request, response);
}
