zhangysh1995/defense_sql_injection_java.java

## defense_sql_injection_java.java
/**
these code are from WebGoat by OWASP:
Link: WebGoat/start.mvc#lesson/SqlInjectionMitigations.lesson/
**/

// parameterized queries

/**
First version
**/
public static bool isUsernameValid(string username) {
    RegEx r = new Regex("^[A-Za-z0-9]{16}$");
    return r.isMatch(username);
}

// java.sql.Connection conn is set elsewhere for brevity.
PreparedStatement ps = null;
RecordSet rs = null;
try {
    pUserName = request.getParameter("UserName");
    if ( isUsernameValid (pUsername);
        ps = conn.prepareStatement("SELECT * FROM user_table
                                   WHERE username = ? ");
        ps.setString(1, pUsername);
        rs = ps.execute();
        if ( rs.next() ) {
            // do the work of making the user record active in some way
        }
    } else { // handle invalid input }
}
catch (…) { // handle all exceptions … }


/**
Second version
**/
public static String loadAccount() {
  // Parser returns only valid string data
  String accountID = getParser().getStringParameter(ACCT_ID, "");
  String data = null;
  String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?";
  try (Connection connection = null;
       PreparedStatement statement = connection.prepareStatement(query)) {
     statement.setString(1, accountID);
     ResultSet results = statement.executeQuery();
     if (results != null && results.first()) {
       results.last(); // Only one record should be returned for this query
       if (results.getRow() <= 2) {
         data = processAccount(results);
       } else {
         // Handle the error – Database integrity issue
       }
     } else {
       // Handle the error – no records found }
     }
  } catch (SQLException sqle) {
    // Log and handle the SQL Exception }
  }
  return data;
}
	/**
	these code are from WebGoat by OWASP:
	Link: WebGoat/start.mvc#lesson/SqlInjectionMitigations.lesson/
	**/

	// parameterized queries

	/**
	First version
	**/
	public static bool isUsernameValid(string username) {
	RegEx r = new Regex("^[A-Za-z0-9]{16}$");
	return r.isMatch(username);
	}

	// java.sql.Connection conn is set elsewhere for brevity.
	PreparedStatement ps = null;
	RecordSet rs = null;
	try {
	pUserName = request.getParameter("UserName");
	if ( isUsernameValid (pUsername);
	ps = conn.prepareStatement("SELECT * FROM user_table
	WHERE username = ? ");
	ps.setString(1, pUsername);
	rs = ps.execute();
	if ( rs.next() ) {
	// do the work of making the user record active in some way
	}
	} else { // handle invalid input }
	}
	catch (…) { // handle all exceptions … }


	/**
	Second version
	**/
	public static String loadAccount() {
	// Parser returns only valid string data
	String accountID = getParser().getStringParameter(ACCT_ID, "");
	String data = null;
	String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?";
	try (Connection connection = null;
	PreparedStatement statement = connection.prepareStatement(query)) {
	statement.setString(1, accountID);
	ResultSet results = statement.executeQuery();
	if (results != null && results.first()) {
	results.last(); // Only one record should be returned for this query
	if (results.getRow() <= 2) {
	data = processAccount(results);
	} else {
	// Handle the error – Database integrity issue
	}
	} else {
	// Handle the error – no records found }
	}
	} catch (SQLException sqle) {
	// Log and handle the SQL Exception }
	}
	return data;
	}