Permalink
Browse files

- Preventing possible SQL injection by prepared statement

- Changed ArticleDao.getArticleById(...) to return an optional
  • Loading branch information...
1 parent 2bfbe39 commit c68084024442af9241aca397b926f12df16a0cfa @alexbiehl alexbiehl committed Mar 25, 2013
View
2 src/main/java/org/fhw/asta/kasse/client/controller/TopbarController.java
@@ -50,7 +50,7 @@ public void onChange(ChangeEvent event) {
if(qText.matches("[a-zA-Z][0-9]+")){
if(qText.matches("[aA][0-9]+")){
- articleService.getArticleById(qText.replaceAll("[a-zA-Z]", ""), new ArticleCallback());
+ // articleService.getArticleById(qText.replaceAll("[a-zA-Z]", ""), new ArticleCallback());
} // else if(qText.matches.....
}
View
16 src/main/java/org/fhw/asta/kasse/server/dao/ArticleDao.java
@@ -13,9 +13,11 @@
import org.springframework.jdbc.core.ConnectionCallback;
import org.springframework.jdbc.core.RowMapper;
+import com.google.common.base.Optional;
+
public class ArticleDao extends GenericDao {
- private class ArticleRowMapper implements RowMapper<Article> {
+ private static class ArticleRowMapper implements RowMapper<Article> {
@Override
public Article mapRow(final ResultSet arg0, final int arg1)
throws SQLException {
@@ -26,7 +28,7 @@ public Article mapRow(final ResultSet arg0, final int arg1)
}
}
- private class CategoryRowMapper implements RowMapper<Category> {
+ private static class CategoryRowMapper implements RowMapper<Category> {
@Override
public Category mapRow(final ResultSet arg0, final int arg1)
throws SQLException {
@@ -65,13 +67,11 @@ public Category mapRow(final ResultSet arg0, final int arg1)
new ArticleRowMapper());
}
- public Article getArticleById(String id) {
- return this.template.query(
- "SELECT article_id, article_revision, name, description,"
+ public Optional<Article> getArticleById(String id) {
+ return queryForObject("SELECT article_id, article_revision, name, description,"
+ "price, tax_category_name, tax_revision,"
- + "enabled FROM article WHERE article_id = '" + id
- + "' AND enabled = true;", new ArticleRowMapper()).get(0);
-
+ + "enabled FROM article WHERE article_id = ? AND enabled = true;", new Object[] { id }, new ArticleRowMapper());
+
}
public List<Category> getAllCategories() {
View
6 src/main/java/org/fhw/asta/kasse/server/dao/BillOrderDao.java
@@ -28,7 +28,7 @@
// private final Logger logger = Logger.getLogger(BillOrderDao.class);
- private class BillOrderRowMapper implements RowMapper<BillOrder> {
+ private static class BillOrderRowMapper implements RowMapper<BillOrder> {
@Override
public BillOrder mapRow(final ResultSet arg0, final int arg1)
throws SQLException {
@@ -39,7 +39,7 @@ public BillOrder mapRow(final ResultSet arg0, final int arg1)
}
}
- private class BasketItemMapper implements RowMapper<BasketItem> {
+ private static class BasketItemMapper implements RowMapper<BasketItem> {
@Override
public BasketItem mapRow(ResultSet arg0, int arg1) throws SQLException {
// TODO Auto-generated method stub
@@ -49,7 +49,7 @@ public BasketItem mapRow(ResultSet arg0, int arg1) throws SQLException {
}
}
- private class CreateBillOrderProcedure extends StoredProcedure {
+ private static class CreateBillOrderProcedure extends StoredProcedure {
public CreateBillOrderProcedure(JdbcTemplate template) {
super(template, "CREATE_BILL_ORDER");
this.setFunction(false);
View
3 src/main/java/org/fhw/asta/kasse/server/service/ArticleServiceEndpoint.java
@@ -7,6 +7,7 @@
import org.fhw.asta.kasse.shared.model.Category;
import org.fhw.asta.kasse.shared.service.article.ArticleService;
+import com.google.common.base.Optional;
import com.google.gwt.user.server.rpc.RemoteServiceServlet;
import com.google.inject.Inject;
import com.google.inject.Singleton;
@@ -30,7 +31,7 @@
}
@Override
- public Article getArticleById(String id) {
+ public Optional<Article> getArticleById(String id) {
return this.dao.getArticleById(id);
}
View
3 src/main/java/org/fhw/asta/kasse/shared/service/article/ArticleService.java
@@ -5,6 +5,7 @@
import org.fhw.asta.kasse.shared.model.Article;
import org.fhw.asta.kasse.shared.model.Category;
+import com.google.common.base.Optional;
import com.google.gwt.user.client.rpc.RemoteService;
import com.google.gwt.user.client.rpc.RemoteServiceRelativePath;
@@ -17,7 +18,7 @@
List<Article> getArticleComponents(Article article);
- Article getArticleById(String id);
+ Optional<Article> getArticleById(String id);
List<Category> getCategories();
View
3 src/main/java/org/fhw/asta/kasse/shared/service/article/ArticleServiceAsync.java
@@ -5,6 +5,7 @@
import org.fhw.asta.kasse.shared.model.Article;
import org.fhw.asta.kasse.shared.model.Category;
+import com.google.common.base.Optional;
import com.google.gwt.user.client.rpc.AsyncCallback;
public interface ArticleServiceAsync {
@@ -14,7 +15,7 @@
void getArticleComponents(Article article,
AsyncCallback<List<Article>> callback);
- void getArticleById(String id, AsyncCallback<Article> callback);
+ void getArticleById(String id, AsyncCallback<Optional<Article>> callback);
void getCategories(AsyncCallback<List<Category>> callback);

0 comments on commit c680840

Please sign in to comment.