From cbc79a68145e845f951113d184b4de207c341599 Mon Sep 17 00:00:00 2001 From: Nick Ren Date: Wed, 19 Oct 2016 15:29:48 -0400 Subject: [PATCH] fixed sql injection vulnerability --- src/main/java/model/Input.java | 17 +++++++++-------- src/main/java/model/Output.java | 15 +++++++++------ src/main/java/object/Variant.java | 7 +++++-- src/main/java/util/DBManager.java | 4 ++++ 4 files changed, 27 insertions(+), 16 deletions(-) diff --git a/src/main/java/model/Input.java b/src/main/java/model/Input.java index 76aab5a..4998c00 100644 --- a/src/main/java/model/Input.java +++ b/src/main/java/model/Input.java @@ -1,5 +1,6 @@ package model; +import java.sql.PreparedStatement; import object.Region; import util.DBManager; import util.FormatManager; @@ -56,11 +57,11 @@ private static Region getRegionByStr(String str) { } private static void initRegionListByGeneName(String geneName) throws Exception { - String sql = "SELECT * " - + "FROM gene_region " - + "WHERE gene_name='" + geneName + "'"; + String sql = "SELECT * FROM gene_region WHERE gene_name=?"; - ResultSet rset = DBManager.executeQuery(sql); + PreparedStatement stmt = DBManager.prepareStatement(sql); + stmt.setString(1, geneName); + ResultSet rset = stmt.executeQuery(); if (rset.next()) { query = rset.getString("gene_name"); @@ -73,11 +74,11 @@ private static void initRegionListByGeneName(String geneName) throws Exception { } private static void initRvisByGene(String geneName) throws Exception { - String sql = "SELECT * " - + "FROM rvis " - + "WHERE gene_name='" + geneName + "'"; + String sql = "SELECT * FROM rvis WHERE gene_name=?"; - ResultSet rset = DBManager.executeQuery(sql); + PreparedStatement stmt = DBManager.prepareStatement(sql); + stmt.setString(1, geneName); + ResultSet rset = stmt.executeQuery(); if (rset.next()) { float f = FormatManager.getFloat(rset.getObject("rvis_percent")); diff --git a/src/main/java/model/Output.java b/src/main/java/model/Output.java index ad48bd2..f78fb34 100644 --- a/src/main/java/model/Output.java +++ b/src/main/java/model/Output.java @@ -1,5 +1,6 @@ package model; +import java.sql.PreparedStatement; import object.Region; import object.Variant; import util.DBManager; @@ -38,12 +39,14 @@ public static void initVariant() throws Exception { String sql = "SELECT * " + "FROM variant_v2 " - + "WHERE chr='" + tmp[0] + "' " - + "AND pos=" + tmp[1] + " " - + "AND ref='" + tmp[2] + "' " - + "AND allele='" + tmp[3] + "'"; - - ResultSet rset = DBManager.executeQuery(sql); + + "WHERE chr= ? AND pos= ? AND ref= ? AND allele= ?"; + + PreparedStatement stmt = DBManager.prepareStatement(sql); + stmt.setString(1, tmp[0]); + stmt.setInt(2, Integer.valueOf(tmp[1])); + stmt.setString(3, tmp[2]); + stmt.setString(4, tmp[3]); + ResultSet rset = stmt.executeQuery(); if (rset.next()) { variant = new Variant(rset); diff --git a/src/main/java/object/Variant.java b/src/main/java/object/Variant.java index 491f353..82aaf7f 100644 --- a/src/main/java/object/Variant.java +++ b/src/main/java/object/Variant.java @@ -1,5 +1,6 @@ package object; +import java.sql.PreparedStatement; import util.DBManager; import util.FormatManager; import java.sql.ResultSet; @@ -131,12 +132,14 @@ public Variant(ResultSet rset) throws Exception { public void initAnnotationMap() throws Exception { String sql = "SELECT * " + "FROM annotation_v2 " - + "WHERE variant_id = " + id + " " + + "WHERE variant_id = ? " + "ORDER BY igm_rank," // when igm_rank is the same, the data sort by "Canonical" = "YES" + "case when canonical is null then 1 else 0 end,canonical;"; - ResultSet rset = DBManager.executeQuery(sql); + PreparedStatement stmt = DBManager.prepareStatement(sql); + stmt.setInt(1, id); + ResultSet rset = stmt.executeQuery(); while (rset.next()) { Annotation anno = new Annotation(rset); diff --git a/src/main/java/util/DBManager.java b/src/main/java/util/DBManager.java index 661bd2c..6e5e1a7 100644 --- a/src/main/java/util/DBManager.java +++ b/src/main/java/util/DBManager.java @@ -86,4 +86,8 @@ private static void initDataFromSystemConfig() { public static ResultSet executeQuery(String sqlQuery) throws SQLException { return statement.executeQuery(sqlQuery); } + + public static PreparedStatement prepareStatement(String sqlQuery) throws SQLException{ + return connection.prepareStatement(sqlQuery); + } }