Skip to content

Commit f1249f4

Browse files
author
Nayshlok
committed
fixed problems in register controller, and worked at preventing sql-injection in database access
1 parent 6573fe9 commit f1249f4

File tree

4 files changed

+30
-26
lines changed

4 files changed

+30
-26
lines changed

Diff for: Voyager/WebContent/WEB-INF/account/login.jsp

+1-1
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,13 @@
2626

2727
<article class="bodyContainer">
2828
<h1>Register</h1>
29-
<p><%= (request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
3029
<form method="get" action="<%=request.getContextPath()%>/register">
3130
<input type="submit" value="Register" id="submit" />
3231
</form>
3332
<br /> <br />
3433
<hr />
3534
<h1>Login</h1>
35+
<p><%= (request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
3636
<form method="post">
3737
<label>Username:</label> <input name="username" /> <label>Password:</label>
3838
<input name="password" type="password" /> <input type="submit"

Diff for: Voyager/WebContent/WEB-INF/register.jsp

+1-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
</header>
2626
<article class="bodyContainer">
2727
<h1>Register New User</h1>
28-
<p><%=(((RegisterUserModel)request.getAttribute("errorMessage")).getErrorMessage() == null ? "" : ((RegisterUserModel)request.getAttribute("errorMessage")).getErrorMessage()) %></p>
28+
<p><%=(request.getAttribute("errorMessage") == null ? "" : request.getAttribute("errorMessage")) %></p>
2929
<form method="post" enctype="multipart/form-data">
3030
<label>Username:</label> <input name="username" type="text" value="<%= current.getUsername() %>"/>
3131
<label>Password:</label><input name="password" type="password" />

Diff for: Voyager/src/Controllers/RegisterController.java

+3-6
Original file line numberDiff line numberDiff line change
@@ -55,14 +55,12 @@ public ModelAndView commitUserRegisterUser() {
5555
ModelAndView mv = null;
5656

5757
if(!password.equals(confirmPassword)) {
58-
model.setErrorMessage("Bad username/password. ");
5958
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
60-
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
59+
mv = new ModelAndView("Passwords did not match", "/WEB-INF/register.jsp");
6160
}
6261
if(!email.equals(confirmEmail)){
63-
model.setErrorMessage(model.getErrorMessage() + "Emails did not match. ");
6462
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
65-
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
63+
mv = new ModelAndView("Emails did not match. ", "/WEB-INF/register.jsp");
6664
}
6765
try {
6866
Account user = new Account(username, email, avatarPath, Roles.User, password);
@@ -72,8 +70,7 @@ public ModelAndView commitUserRegisterUser() {
7270
mv = new ModelAndView(model, "/WEB-INF/account/profile.jsp");
7371
} catch(UsernameAlreadyExistsException e) {
7472
request.setAttribute("attemptedAccount", new Account(username, email, avatarPath, Roles.User, password));
75-
model.setErrorMessage("Username has already been used.");
76-
mv = new ModelAndView(model, "/WEB-INF/register.jsp");
73+
mv = new ModelAndView("Username has already been used.", "/WEB-INF/register.jsp");
7774
} catch (ServletException e) {
7875
e.printStackTrace();
7976
} catch (IOException e) {

Diff for: Voyager/src/models/DatabaseAccess.java

+25-18
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,18 @@
1515

1616
public class DatabaseAccess implements DataService {
1717

18+
private final String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
1819
/* (non-Javadoc)
1920
* @see models.DataService#login(java.lang.String, java.lang.String)
2021
*/
2122
@Override
2223
public Account login(String username, String password){
2324
Account account = null;
2425
Driver driver = new SQLServerDriver();
25-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
2626
try {
2727
Connection con = driver.connect(connectionUrl, new Properties());
28-
PreparedStatement statement = con.prepareStatement("Select userName, userPassword, userEmail, userRole from UserTable where userName = '" + username + "'");
28+
PreparedStatement statement = con.prepareStatement("Select userName, userPassword, userEmail, userRole from UserTable where userName = ?");
29+
statement.setString(1, username);
2930
ResultSet rs = statement.executeQuery();
3031
rs.next();
3132
String storedPass = rs.getString("userPassword");
@@ -55,11 +56,14 @@ public Account login(String username, String password){
5556
@Override
5657
public void registerUser(Account user){
5758
Driver driver = new SQLServerDriver();
58-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
5959
try {
6060
Connection con = driver.connect(connectionUrl, new Properties());
6161
PreparedStatement statement = con.prepareStatement("Insert INTO UserTable (userName, userPassword, userEmail, userRole) "
62-
+ "VALUES ('" + user.getUsername() + "', '" + user.getPassword() + "', '" + user.getEmail() + "', '" + user.getRole().toString() + "');");
62+
+ "VALUES (?, ?, ?, ?);");
63+
statement.setString(1, user.getUsername());
64+
statement.setString(2, user.getPassword());
65+
statement.setString(3, user.getEmail());
66+
statement.setString(4, user.getRole().toString());
6367
statement.execute();
6468
System.out.println("Registration Successful");
6569
} catch (SQLException e) {
@@ -79,10 +83,10 @@ public void registerUser(Account user){
7983
@Override
8084
public void removeUser(Account user){
8185
Driver driver = new SQLServerDriver();
82-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
8386
try {
8487
Connection con = driver.connect(connectionUrl, new Properties());
85-
PreparedStatement statement = con.prepareStatement("DELETE FROM UserTable WHERE userName='" + user.getUsername() + "'");
88+
PreparedStatement statement = con.prepareStatement("DELETE FROM UserTable WHERE userName=?");
89+
statement.setString(1, user.getUsername());
8690
statement.execute();
8791
System.out.println("Removal sucessful");
8892
} catch (SQLException e) {
@@ -96,31 +100,33 @@ public void removeUser(Account user){
96100
@Override
97101
public void updateUser(Account user){
98102
Driver driver = new SQLServerDriver();
99-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
100103
try {
101104
Connection con = driver.connect(connectionUrl, new Properties());
102105
PreparedStatement statement = con.prepareStatement("UPDATE UserTable "
103-
+ "SET userPassword='" + user.getPassword() + "', userEmail='" + user.getEmail() + "', userRole='" + user.getRole().toString() + "'"
104-
+ "WHERE userName='" + user.getUsername() + "'");
106+
+ "SET userPassword=?, userEmail=?, userRole=?"
107+
+ "WHERE userName=?");
108+
statement.setString(1, user.getPassword());
109+
statement.setString(2, user.getEmail());
110+
statement.setString(3, user.getRole().toString());
111+
statement.setString(4, user.getUsername());
105112
statement.execute();
106113
System.out.println("Update successful");
107114
} catch (SQLException e) {
108115
e.printStackTrace();
109-
}
116+
}
110117
}
111118

112119
/* (non-Javadoc)
113120
* @see models.DataService#getUserId(java.lang.String)
114121
*/
115122
@Override
116123
public int getUserId(String user){
117-
Account account = null;
118124
int id = -1;
119125
Driver driver = new SQLServerDriver();
120-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
121126
try {
122127
Connection con = driver.connect(connectionUrl, new Properties());
123-
PreparedStatement statement = con.prepareStatement("Select userId from UserTable where userName = '" + user + "'");
128+
PreparedStatement statement = con.prepareStatement("Select userId from UserTable where userName = ?");
129+
statement.setString(1, user);
124130
ResultSet rs = statement.executeQuery();
125131
rs.next();
126132
String storedId = rs.getString("userId");
@@ -138,10 +144,10 @@ public int getUserId(String user){
138144
public String getUserName(int userId){
139145
String userName = null;
140146
Driver driver = new SQLServerDriver();
141-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
142147
try {
143148
Connection con = driver.connect(connectionUrl, new Properties());
144-
PreparedStatement statement = con.prepareStatement("Select userName from UserTable where userId = '" + userId + "'");
149+
PreparedStatement statement = con.prepareStatement("Select userName from UserTable where userId = ?");
150+
statement.setInt(1, userId);
145151
ResultSet rs = statement.executeQuery();
146152
rs.next();
147153
userName = rs.getString("userName");
@@ -159,26 +165,27 @@ public String getUserName(int userId){
159165
@Override
160166
public void enterPost(Post post){
161167
Driver driver = new SQLServerDriver();
162-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
163168
try {
164169
Connection con = driver.connect(connectionUrl, new Properties());
165170
PreparedStatement statement = con.prepareStatement("Insert INTO PostTable (postTitle, postAuthorId, postTime, postContent) "
166171
+ "VALUES ('" + post.getTitle() + "', '" + this.getUserId(post.getAuthor()) + "', CURRENT_TIMESTAMP, '" + post.getMessage() + "');");
172+
statement.setString(1, post.getTitle());
173+
statement.setInt(2, this.getUserId(post.getAuthor()));
174+
statement.setString(3, post.getMessage());
167175
statement.execute();
168176
System.out.println("Successful post");
169177
} catch (SQLException e) {
170178
e.printStackTrace();
171179
}
172180
}
173-
181+
174182
/* (non-Javadoc)
175183
* @see models.DataService#retrievePost(java.lang.String)
176184
*/
177185
@Override
178186
public Post retrievePost(String postTitle){
179187
Post post = null;
180188
Driver driver = new SQLServerDriver();
181-
String connectionUrl = "jdbc:sqlserver://n8bu1j6855.database.windows.net:1433;database=VoyagerDB;user=VoyageLogin@n8bu1j6855;password={GroupP@ssword};encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
182189
try {
183190
Connection con = driver.connect(connectionUrl, new Properties());
184191
PreparedStatement statement = con.prepareStatement("Select postTitle, postAuthorId, postTime, postContent from PostTable where postTitle = '" + postTitle + "'");

0 commit comments

Comments
 (0)