Elearning-Task1819S2-SecureCoding

Please complete the following elearning tasks by 13/1/19 1159pm:

1) Complete the 3 coding exercises at https://mimosa-admin.arcadove.host

2) Complete Practical 6

Pract 6 submission to the Elearning Practical Submission Folder

Tian Le, Keane, Ryan, Afzal, Jerrod

PreparedStatement for mimosa

String sql = "select * from sqli_employees where username = ? and password = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1,username);
pstmt.setString(2,password);
ResultSet rs = pstmt.executeQuery();

Medium regex mimosa

String email = request.getParameter("email");
boolean bool;
String pattern = "^([A-Za-z0-9._]{4,})@ichat.sp.edu.sg$"; //continue from here
bool = email.matches(pattern);
String output = String.valueOf(bool);
request.setAttribute("output", output);

Hard regex mimosa

String password = request.getParameter("password");
boolean bool;
String pattern="(^(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[a-zA-Z])(?=.[!@#$%^&])(?!.*\s).{8,16}$)";
bool = password.matches(pattern);
String output = String.valueOf(bool);
request.setAttribute("output", output);

Practical 6 e-learning

Part A
//(a)Do validation and output sanitization
else{
//only allow letters
String p = "[a-zA-Z]+";
if(search.matches(p)){
String searchClean = StringEscapeUtils.escapeHtml4(search);
}
else{

			search="";
			out.println("Invalid Search Query");
		}
	}

Part B
//(b)Wrong use of preparedStatement, to fix
String sqlStr = "Select * from inventory where functions like ? order by brand, model";
PreparedStatement pstmt = conn.prepareStatement(sqlStr);
pstmt.setString(1,"%"+search+"%");
ResultSet rs = pstmt.executeQuery();

Part C
//(c)validation of id
String p = "[0-9]*";
if(id.matches(p)){

Part D
//(d)Wrong use of preparedStatement, to fix
String sqlStr = "Delete from Inventory WHERE ID= ?";
PreparedStatement pstmt = conn.prepareStatement(sqlStr);
pstmt.setString(1,id);

		int rec=pstmt.executeUpdate();
		conn.close();