Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed building queries - preventing SQL-injection
  • Loading branch information
krukon committed Feb 3, 2015
1 parent 2aaedb7 commit 13cd6c3
Show file tree
Hide file tree
Showing 7 changed files with 180 additions and 112 deletions.
56 changes: 33 additions & 23 deletions src/app/controllers/AccountController.java
@@ -1,7 +1,6 @@
package controllers;

import java.util.HashMap;
import java.util.Map;
import java.sql.Date;

import models.Secured;
import play.data.DynamicForm;
Expand All @@ -19,10 +18,17 @@ public static Result changePassword() {
String oldPassword = requestData.get("oldPassword");
String newPassword = requestData.get("newPassword");
String repeatedPassword = requestData.get("repeatedPassword");
int userId;
try {
userId = Integer.parseInt(session(Application.USER_ID));
} catch (Exception e) {
e.printStackTrace();
return badRequest();
}

if (newPassword.equals(repeatedPassword)) {
if (UsersDao.get().checkPasswordForUser(session().get(Application.USER_ID), oldPassword)) {
UsersDao.get().changePassword(session().get(Application.USER_ID), newPassword);
if (UsersDao.get().checkPasswordForUser(userId, oldPassword)) {
UsersDao.get().changePassword(userId, newPassword);
return ok();
}
else {
Expand All @@ -35,28 +41,32 @@ public static Result changePassword() {
}

public static Result changeUserInfo() {
String userId = session(Application.USER_ID);
DynamicForm requestData = Form.form().bindFromRequest();
String weight = requestData.get("weight");
String height = requestData.get("height");
String dateOfBirth = requestData.get("dateOfBirth");

Map<String, String> toUpdate = new HashMap<String, String>();
if (!weight.equals("")) {
toUpdate.put("weight", weight);
}
if (!height.equals("")) {
toUpdate.put("height", height);
}
if (!dateOfBirth.equals("")) {
toUpdate.put("date_of_birth", dateOfBirth);
Double weight = null;
Double height = null;
Date dateOfBirth = null;
int userId;
try {
userId = Integer.parseInt(session(Application.USER_ID));
} catch (Exception e) {
e.printStackTrace();
return badRequest();
}


if (toUpdate.size() > 0 && UsersDao.get().update(userId, toUpdate)) {
return ok();
}
else {
if (!requestData.get("weight").equals(""))
weight = Double.valueOf(requestData.get("weight"));
if (!requestData.get("height").equals(""))
height = Double.valueOf(requestData.get("height"));
if (!requestData.get("dateOfBirth").equals(""))
dateOfBirth = Date.valueOf(requestData.get("dateOfBirth"));

try {
if (UsersDao.get().update(userId, weight, height, dateOfBirth))
return ok();
else
return badRequest();
} catch (Exception e) {
e.printStackTrace();
return badRequest();
}
}
Expand Down
9 changes: 7 additions & 2 deletions src/app/controllers/Application.java
Expand Up @@ -36,8 +36,13 @@ public static Result home() {
}

public static Result editAccountSettings() {
User user = UsersDao.get().getById(session(USER_ID)); //TODO change session to userId
return ok(account.render(user));
try {
User user = UsersDao.get().getById(Integer.parseInt(session(USER_ID))); //TODO change session to userId
return ok(account.render(user));
} catch (Exception e) {
e.printStackTrace();
return badRequest();
}
}

}
2 changes: 1 addition & 1 deletion src/app/controllers/UsersController.java
Expand Up @@ -30,7 +30,7 @@ public static Result decline(int requesingUserId) {

public static Result showUser(int foreignerId) {
int userId = Integer.parseInt(session("user_id"));
User user = UsersDao.get().getById(foreignerId + "");
User user = UsersDao.get().getById(foreignerId);
boolean isYourFriend = UsersDao.get().areFriends(userId, foreignerId);
if (user != null) {
return ok(user_info.render(user, isYourFriend));
Expand Down
29 changes: 17 additions & 12 deletions src/app/database/ExerciseDao.java
@@ -1,6 +1,7 @@
package database;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
Expand Down Expand Up @@ -98,10 +99,13 @@ public void rateExercise(int userId, int exerciseId, int rating) {
Connection connection = null;
try {
connection = DB.getConnection();
String sql = connection.nativeSQL("INSERT INTO exercise_ratings(user_id, exercise_id, rating) VALUES" +
" (" + userId + ", " + exerciseId + ", " + rating + ");");
play.Logger.info("Insert exercise_rating: " + sql);
connection.createStatement().execute(sql);
PreparedStatement p = connection.prepareStatement("INSERT INTO exercise_ratings(user_id, exercise_id, rating) VALUES (?, ?, ?);");
p.setInt(1, userId);
p.setInt(2, exerciseId);
p.setInt(3, rating);

p.executeQuery();
p.close();
} catch (SQLException e) {
e.printStackTrace();
} finally {
Expand All @@ -123,13 +127,13 @@ public ExerciseResult getBestForUser(String userId, int exerciseId) {
Connection connection = null;
try {
connection = DB.getConnection();
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery("SELECT weight, set_count, reps_per_set" +
" FROM workout_entries" +
" JOIN workouts USING (workout_id)" +
" WHERE user_id = " + userId + " AND exercise_id = " + exerciseId +
" ORDER BY weight" +
" LIMIT 1;");
PreparedStatement p = connection.prepareStatement("SELECT weight, set_count, reps_per_set"
+ "FROM workout_entries "
+ "JOIN workouts USING (workout_id) "
+ "WHERE user_id = ? AND exercise_id = ? "
+ "ORDER BY weight"
+ "LIMIT 1;");
ResultSet resultSet = p.executeQuery();
ExerciseResult result = null;
if (resultSet.next()) {
result = new ExerciseResult();
Expand All @@ -138,7 +142,8 @@ public ExerciseResult getBestForUser(String userId, int exerciseId) {
result.setWeight(resultSet.getInt("weight"));

}

resultSet.close();
p.close();
return result;
} catch (SQLException e) {
e.printStackTrace();
Expand Down
11 changes: 7 additions & 4 deletions src/app/database/GymsDao.java
@@ -1,6 +1,7 @@
package database;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
Expand Down Expand Up @@ -67,10 +68,12 @@ public void rateGym(int userId, int gymId, int rating) {
Connection connection = null;
try {
connection = DB.getConnection();
String sql = connection.nativeSQL("INSERT INTO gym_ratings(user_id, gym_id, rating) VALUES" +
" (" + userId + ", " + gymId + ", " + rating + ");");
play.Logger.info("Insert gym_rating: " + sql);
connection.createStatement().execute(sql);
PreparedStatement p = connection.prepareStatement("INSERT INTO gym_ratings(user_id, gym_id, rating) VALUES (?, ?, ?)");
p.setInt(1, userId);
p.setInt(2, gymId);
p.setInt(3, rating);
p.executeQuery();
p.close();
} catch (SQLException e) {
e.printStackTrace();
} finally {
Expand Down

0 comments on commit 13cd6c3

Please sign in to comment.