Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added validation for contact adding and changed use of prepared state…
…ments to avoid SQL injection.
  • Loading branch information
ChrisMcMStone committed Dec 17, 2014
1 parent 4957efd commit 5d72753
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 44 deletions.
2 changes: 1 addition & 1 deletion src/AddContact.java
Expand Up @@ -45,7 +45,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)

RequestDispatcher dispatcher = request.getRequestDispatcher("Error"); //New Request Dispatcher
request.setAttribute("error", e.getMessage());
request.setAttribute("previous", "searchcontact");
request.setAttribute("previous", "addcontact.jsp");
dispatcher.forward(request, response);
}
}
Expand Down
18 changes: 1 addition & 17 deletions src/Error.java
Expand Up @@ -11,30 +11,16 @@ public class Error extends HttpServlet {
* Calls doPost
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

doPost(request, response);

}

/**
* Gets the PrintWriter from the response and prints the HTML to show the error page
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

if (System.currentTimeMillis() > (request.getSession().getLastAccessedTime() + 300000)) {
request.setAttribute("error", "Login session timed out, please click retry to log back in");
request.setAttribute("previous", "index.html");
}
PrintWriter out = response.getWriter(); //Gets the PrintWriter
String back;
String previous = (String) request.getAttribute("previous");
if (previous.equals("/LoginController") || previous.equals("index.html")) {
back = "index.html";
} else if (previous.equals("searchcontact")) {
back = "contact.jsp";
} else {
back = "email.html";
}
String back = (String) request.getAttribute("previous");
out.println(
"<!DOCTYPE html>" +
"<html>" +
Expand All @@ -56,7 +42,5 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
"</body>" +
"</html>"
);

}

}
2 changes: 1 addition & 1 deletion src/Login.java
Expand Up @@ -50,7 +50,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
} catch (MessagingException e) {
RequestDispatcher dispatcher = request.getRequestDispatcher("Error"); //New Request Dispatcher
request.setAttribute("error", e.getMessage());
request.setAttribute("previous", request.getServletPath());
request.setAttribute("previous", "index.html");
dispatcher.forward(request, response);
}
}
Expand Down
60 changes: 40 additions & 20 deletions src/Model.java
Expand Up @@ -48,36 +48,56 @@ public String search(String forename, String surname, String contactemail) throw
String query;
if (forename.isEmpty() && surname.isEmpty()) {
query = "";
} else if(forename.isEmpty()) {
} else if (forename.isEmpty()) {
query = "familyname LIKE '%" + surname + "' and";
} else if(surname.isEmpty()) {
} else if (surname.isEmpty()) {
query = "forename LIKE '%" + forename + "' and ";
} else {
query = "forename LIKE '%" + forename + "' and familyname LIKE '%" + surname + "' and";
}

PreparedStatement ps = conn.prepareStatement("SELECT * FROM contactinfo WHERE " + query + " contactemailaddress = '" + contactemail + "'");
ResultSet rs = ps.executeQuery();
StringBuilder result = new StringBuilder("<h3>Search results...</h3><table class=\"result-table\">" +
"<tr>" +
"<th>Forename</th> <th>Surname</th> <th>Email</th>" +
"</tr>");
while(rs.next())

{
result.append("<tr><td>");
result.append(rs.getString(2));
result.append("</td><td>" + rs.getString(3));
result.append("</td><td>" + rs.getString(4) + "</td></tr>");
}
PreparedStatement ps = conn.prepareStatement("SELECT * FROM contactinfo WHERE ? contactemailaddress = ?");
ps.setString(1, query);
ps.setString(2, contactemail);
ResultSet rs = ps.executeQuery();
StringBuilder result = new StringBuilder("<h3>Search results...</h3><table class=\"result-table\">" +
"<tr>" +
"<th>Forename</th> <th>Surname</th> <th>Email</th>" +
"</tr>");
while (rs.next())
{
result.append("<tr><td>");
result.append(rs.getString(2));
result.append("</td><td>" + rs.getString(3));
result.append("</td><td>" + rs.getString(4) + "</td></tr>");
}

result.append("</table");
return result.toString();
}
result.append("</table");
conn.close();
return result.toString();
}

public void addContact(String firstname, String surname, String email, String user) throws SQLException {

PreparedStatement checkDuplicate = conn.prepareStatement("SELECT * FROM contactinfo WHERE emailaddress = ?");
checkDuplicate.setString(1, email);
ResultSet rs = checkDuplicate.executeQuery();
if (rs.next()) {
throw new SQLException("Contact already exists");
}
PreparedStatement newStudent = conn.prepareStatement("INSERT INTO " +
"contactinfo (forename, familyname, emailaddress, contactemailaddress) VALUES ('" + firstname + "', '" + surname + "', '" + email + "', '" + user + "')");
"contactinfo (forename, familyname, emailaddress, contactemailaddress) VALUES (?, ?, ?, ?)");
newStudent.setString(1, firstname);
newStudent.setString(2, surname);
newStudent.setString(3, email);
newStudent.setString(4, user);
newStudent.execute();

conn.close();
}
}


//Todo sort out errors, when logging in unsuccessfully etc
//Todo format message sent successfully page
//Todo add some JS to allow user to click search results and send an email to that address
2 changes: 1 addition & 1 deletion src/SearchContact.java
Expand Up @@ -43,7 +43,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
} catch (SQLException e) {
RequestDispatcher dispatcher = request.getRequestDispatcher("Error"); //New Request Dispatcher
request.setAttribute("error", e.getMessage());
request.setAttribute("previous", "searchcontact");
request.setAttribute("previous", "contact.jsp");
dispatcher.forward(request, response);
}
}
Expand Down
6 changes: 3 additions & 3 deletions web/addcontact.jsp
Expand Up @@ -12,7 +12,7 @@
</script>
</head>
<body>
<a id="back" href="http://<%=request.getServerName()%>:<%=request.getServerPort()%>/email.html">Back</a>
<a id="back" href="email.html">Back</a>
<div class="logout-container">
<form action="logout" method="post">
<input id="logout" type="submit" value="Log Out"/>
Expand All @@ -28,7 +28,7 @@
<b>Forename: </b>
</td>
<td>
<input id="name" name="firstname" type="text" placeholder="...">
<input id="name" name="firstname" type="text" placeholder="..." required>
</td>
</tr>
<tr>
Expand All @@ -44,7 +44,7 @@
<b>Email Address: </b>
</td>
<td>
<input id="email" name="email" type="email" placeholder="...">
<input id="email" name="email" type="email" placeholder="..." required>
</td>
</tr>
<tr>
Expand Down
2 changes: 1 addition & 1 deletion web/contact.jsp
Expand Up @@ -11,7 +11,7 @@
</script>
</head>
<body>
<a id="back" href="http://<%=request.getServerName()%>:<%=request.getServerPort()%>/email.html">Back</a>
<a id="back" href="email.html">Back</a>
<div class="logout-container">
<form action="logout" method="post">
<input id="logout" type="submit" value="Log Out"/>
Expand Down

0 comments on commit 5d72753

Please sign in to comment.