Skip to content
Permalink
Browse files Browse the repository at this point in the history
Clean up DB code, remove some SQL injection holes.
  • Loading branch information
JervenBolleman committed May 19, 2014
1 parent a8ca17a commit 44bb0db
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 88 deletions.
7 changes: 1 addition & 6 deletions src/main/java/org/identifiers/db/DbUtilities.java
Expand Up @@ -67,16 +67,11 @@ public static Connection initDbConnection()
* @param connection
* @param stmt
*/
public static void closeDbConnection(Connection connection, PreparedStatement stmt)
public static void closeDbConnection(Connection connection)
{
// closes the connection
try
{
if (null != stmt)
{
//System.out.println("- Closes the prepared statement");
stmt.close();
}
if (null != connection)
{
//System.out.println("- Closes the connection");
Expand Down
140 changes: 58 additions & 82 deletions src/main/java/org/identifiers/db/RegistryDao.java
@@ -1,6 +1,5 @@
package org.identifiers.db;


import org.identifiers.data.URIextended;
import org.identifiers.db.DbUtilities;

Expand All @@ -11,106 +10,83 @@
import java.util.ArrayList;
import java.util.List;


/**
* Simple dao for SPARQL testing.
*
* @author Camille
* @version 20140519
*/
public class RegistryDao
{
private Connection connection = null;




public class RegistryDao {

/**
* Returns all URIs sameAs the provided one.
*
* @param uri
* @return
*/
public List<URIextended> getSameAsURIs(String uri)
{
Boolean error = false; // if an error happens
PreparedStatement stmt = null;
ResultSet rs;
List<URIextended> urls = null;

// initialisation of the database connection
connection = DbUtilities.initDbConnection();

try
{
public List<URIextended> getSameAsURIs(String uri) {

List<URIextended> urls = null;

final String uriTobe = uri.substring(0,uri.indexOf("/", 10));
String query = "SELECT convertPrefix, ptr_datatype FROM mir_resource WHERE `convertPrefix` LIKE '"+uriTobe+"%'";

try
{
stmt = connection.prepareStatement(query);
}
catch (SQLException e)
{
System.err.println("Error while creating the prepared statement!");
System.err.println("SQL Exception raised: " + e.getMessage());
}

//logger.debug("SQL prepared query: " + stmt.toString());
rs = stmt.executeQuery();
// initialisation of the database connection
try (Connection connection = DbUtilities.initDbConnection()) {

String dataTypeId = null;
String identifier = null;
final String uriTobe = uri.substring(0, uri.indexOf("/", 10))+'%';
String query = "SELECT convertPrefix, ptr_datatype FROM mir_resource WHERE `convertPrefix` LIKE ?";

while (rs.next()) {
String convertPrefix = rs.getString("convertPrefix");
if(uri.contains(convertPrefix)){
dataTypeId = rs.getString("ptr_datatype");
identifier = uri.substring(convertPrefix.length());
}
String dataTypeId = null;
String identifier = null;

}
try (PreparedStatement stmt = connection.prepareStatement(query)) {
stmt.setString(1, uriTobe);
try (ResultSet rs = stmt.executeQuery()) {
while (rs.next()) {
String convertPrefix = rs.getString("convertPrefix");
if (uri.contains(convertPrefix)) {
dataTypeId = rs.getString("ptr_datatype");
identifier = uri.substring(convertPrefix.length());
}
}
}
} catch (SQLException e) {
System.err
.println("Error while creating the prepared statement!");
System.err.println("SQL Exception raised: " + e.getMessage());
throw new RuntimeException(
"Sorry, an error occurred while dealing with your request.",
e);
}

query = "SELECT convertPrefix, obsolete FROM mir_resource WHERE ptr_datatype=\""+dataTypeId+"\" and urischeme=1";
// logger.debug("SQL prepared query: " + stmt.toString());

try
{
stmt = connection.prepareStatement(query);
}
catch (SQLException e)
{
System.err.println("Error while creating the prepared statement!");
System.err.println("SQL Exception raised: " + e.getMessage());
}
//logger.debug("SQL prepared query: " + stmt.toString());
rs = stmt.executeQuery();
query = "SELECT convertPrefix, obsolete FROM mir_resource WHERE ptr_datatype=? and urischeme=1";

urls = new ArrayList<URIextended>();
while (rs.next())
{
urls.add(new URIextended(rs.getString("convertPrefix") + identifier, rs.getInt("obsolete")));
}
rs.close();
}
catch (SQLException e)
{
//logger.error("Error during the processing of the result of a query.");
//logger.error("SQL Exception raised: " + e.getMessage());
error = true;
}
finally
{
// closes the database connection and statement
DbUtilities.closeDbConnection(connection, stmt);
}
try (PreparedStatement stmt = connection.prepareStatement(query)) {
stmt.setString(1, dataTypeId);
try (ResultSet rs = stmt.executeQuery()) {

urls = new ArrayList<URIextended>();
while (rs.next()) {
urls.add(new URIextended(rs.getString("convertPrefix")
+ identifier, rs.getInt("obsolete")));
}
}
} catch (SQLException e) {
System.err
.println("Error while creating the prepared statement!");
System.err.println("SQL Exception raised: " + e.getMessage());
throw new RuntimeException(
"Sorry, an error occurred while dealing with your request.",
e);
}
// logger.debug("SQL prepared query: " + stmt.toString());

// exception handling
if (error)
{
throw new RuntimeException("Sorry, an error occurred while dealing with your request.");
}
System.out.println("u"+urls.size());
return urls;
} catch (SQLException e1) {
throw new RuntimeException(
"Sorry, an error occurred while dealing with your request.",
e1);
}
System.out.println("u" + urls.size());
return urls;
}
}

0 comments on commit 44bb0db

Please sign in to comment.