Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed problems in register controller, and worked at preventing sql-i…
…njection in database access
  • Loading branch information
Nayshlok committed Nov 17, 2014
1 parent 6573fe9 commit f1249f4
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 26 deletions.
2 changes: 1 addition & 1 deletion Voyager/WebContent/WEB-INF/account/login.jsp
Expand Up @@ -26,13 +26,13 @@

<article class="bodyContainer">
<h1>Register</h1>
<p><%= (request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
<form method="get" action="<%=request.getContextPath()%>/register">
<input type="submit" value="Register" id="submit" />
</form>
<br /> <br />
<hr />
<h1>Login</h1>
<p><%= (request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
<form method="post">
<label>Username:</label> <input name="username" /> <label>Password:</label>
<input name="password" type="password" /> <input type="submit"
Expand Down
2 changes: 1 addition & 1 deletion Voyager/WebContent/WEB-INF/register.jsp
Expand Up @@ -25,7 +25,7 @@
</header>
<article class="bodyContainer">
<h1>Register New User</h1>
<p><%=(((RegisterUserModel)request.getAttribute("errorMessage")).getErrorMessage() == null ? "" : ((RegisterUserModel)request.getAttribute("errorMessage")).getErrorMessage()) %></p>
<p><%=(request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
<form method="post" enctype="multipart/form-data">
<label>Username:</label> <input name="username" type="text" value="<%= current.getUsername() %>"/>
<label>Password:</label><input name="password" type="password" />
Expand Down
9 changes: 3 additions & 6 deletions Voyager/src/Controllers/RegisterController.java
Expand Up @@ -55,14 +55,12 @@ public ModelAndView commitUserRegisterUser() {
ModelAndView mv = null;

if(!password.equals(confirmPassword)) {
model.setErrorMessage("Bad username/password. ");
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
mv = new ModelAndView("Passwords did not match", "/WEB-INF/register.jsp");
}
if(!email.equals(confirmEmail)){
model.setErrorMessage(model.getErrorMessage() + "Emails did not match. ");
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
mv = new ModelAndView("Emails did not match. ", "/WEB-INF/register.jsp");
}
try {
Account user = new Account(username, email, avatarPath, Roles.User, password);
Expand All @@ -72,8 +70,7 @@ public ModelAndView commitUserRegisterUser() {
mv = new ModelAndView(model, "/WEB-INF/account/profile.jsp");
} catch(UsernameAlreadyExistsException e) {
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
model.setErrorMessage("Username has already been used.");
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
mv = new ModelAndView("Username has already been used.", "/WEB-INF/register.jsp");
} catch (ServletException e) {
e.printStackTrace();
} catch (IOException e) {
Expand Down
43 changes: 25 additions & 18 deletions Voyager/src/models/DatabaseAccess.java
Expand Up @@ -15,17 +15,18 @@

public class DatabaseAccess implements DataService {

private final String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
/* (non-Javadoc)
* @see models.DataService#login(java.lang.String, java.lang.String)
*/
@Override
public Account login(String username, String password){
Account account = null;
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Select userName, userPassword, userEmail, userRole from UserTable where userName = '" + username + "'");
PreparedStatement statement = con.prepareStatement("Select userName, userPassword, userEmail, userRole from UserTable where userName = ?");
statement.setString(1, username);
ResultSet rs = statement.executeQuery();
rs.next();
String storedPass = rs.getString("userPassword");
Expand Down Expand Up @@ -55,11 +56,14 @@ public Account login(String username, String password){
@Override
public void registerUser(Account user){
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Insert INTO UserTable (userName, userPassword, userEmail, userRole) "
+ "VALUES ('" + user.getUsername() + "', '" + user.getPassword() + "', '" + user.getEmail() + "', '" + user.getRole().toString() + "');");
+ "VALUES (?, ?, ?, ?);");
statement.setString(1, user.getUsername());
statement.setString(2, user.getPassword());
statement.setString(3, user.getEmail());
statement.setString(4, user.getRole().toString());
statement.execute();
System.out.println("Registration Successful");
} catch (SQLException e) {
Expand All @@ -79,10 +83,10 @@ public void registerUser(Account user){
@Override
public void removeUser(Account user){
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("DELETE FROM UserTable WHERE userName='" + user.getUsername() + "'");
PreparedStatement statement = con.prepareStatement("DELETE FROM UserTable WHERE userName=?");
statement.setString(1, user.getUsername());
statement.execute();
System.out.println("Removal sucessful");
} catch (SQLException e) {
Expand All @@ -96,31 +100,33 @@ public void removeUser(Account user){
@Override
public void updateUser(Account user){
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("UPDATE UserTable "
+ "SET userPassword='" + user.getPassword() + "', userEmail='" + user.getEmail() + "', userRole='" + user.getRole().toString() + "'"
+ "WHERE userName='" + user.getUsername() + "'");
+ "SET userPassword=?, userEmail=?, userRole=?"
+ "WHERE userName=?");
statement.setString(1, user.getPassword());
statement.setString(2, user.getEmail());
statement.setString(3, user.getRole().toString());
statement.setString(4, user.getUsername());
statement.execute();
System.out.println("Update successful");
} catch (SQLException e) {
e.printStackTrace();
}
}
}

/* (non-Javadoc)
* @see models.DataService#getUserId(java.lang.String)
*/
@Override
public int getUserId(String user){
Account account = null;
int id = -1;
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Select userId from UserTable where userName = '" + user + "'");
PreparedStatement statement = con.prepareStatement("Select userId from UserTable where userName = ?");
statement.setString(1, user);
ResultSet rs = statement.executeQuery();
rs.next();
String storedId = rs.getString("userId");
Expand All @@ -138,10 +144,10 @@ public int getUserId(String user){
public String getUserName(int userId){
String userName = null;
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Select userName from UserTable where userId = '" + userId + "'");
PreparedStatement statement = con.prepareStatement("Select userName from UserTable where userId = ?");
statement.setInt(1, userId);
ResultSet rs = statement.executeQuery();
rs.next();
userName = rs.getString("userName");
Expand All @@ -159,26 +165,27 @@ public String getUserName(int userId){
@Override
public void enterPost(Post post){
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Insert INTO PostTable (postTitle, postAuthorId, postTime, postContent) "
+ "VALUES ('" + post.getTitle() + "', '" + this.getUserId(post.getAuthor()) + "', CURRENT_TIMESTAMP, '" + post.getMessage() + "');");
statement.setString(1, post.getTitle());
statement.setInt(2, this.getUserId(post.getAuthor()));
statement.setString(3, post.getMessage());
statement.execute();
System.out.println("Successful post");
} catch (SQLException e) {
e.printStackTrace();
}
}

/* (non-Javadoc)
* @see models.DataService#retrievePost(java.lang.String)
*/
@Override
public Post retrievePost(String postTitle){
Post post = null;
Driver driver = new SQLServerDriver();
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
try {
Connection con = driver.connect(connectionUrl, new Properties());
PreparedStatement statement = con.prepareStatement("Select postTitle, postAuthorId, postTime, postContent from PostTable where postTitle = '" + postTitle + "'");
Expand Down

0 comments on commit f1249f4

Please sign in to comment.