Skip to content
Snippets Groups Projects
Commit c15217aa authored by Gabriel Copat's avatar Gabriel Copat
Browse files

Adjusted SQL queries to better protect from SQL injection

parent e847822d
No related branches found
No related tags found
1 merge request!37Resolve "As a repeat trail visitor , I want to be able to create an account so I can save and review my progress."
......@@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
@Override
public List<Sticker> getAllStickersFromPack(int packID){
String sql= "SELECT * FROM stickers WHERE packID="+packID;
return jdbc.query(sql, stickerMapper);
String sql= "SELECT * FROM stickers WHERE packID=?";
return jdbc.query(sql, stickerMapper, packID);
}
@Override
......@@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
/* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */
String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " +
"ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " +
"WHERE stickerprogress.userID="+userID;
return jdbc.query(sql, stickerMapper);
"WHERE stickerprogress.userID = ? ";
return jdbc.query(sql, stickerMapper, userID);
}
@Override
public Pack findPackByID(int id){
String sql= "SELECT * FROM packs WHERE id="+id;
List<Pack> result = jdbc.query(sql, packMapper);
String sql= "SELECT * FROM packs WHERE id= ?";
List<Pack> result = jdbc.query(sql, packMapper, id);
return result.isEmpty() ? null : result.get(0);
}
}
......@@ -15,7 +15,7 @@ import java.util.List;
@Repository
public class UserRepositoryJDBC implements UserRepository{
private JdbcTemplate jdbc;
private final JdbcTemplate jdbc;
private RowMapper<User> userMapper;
public UserRepositoryJDBC(JdbcTemplate aJdbc){
......@@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{
@Override
public User getUserById(int userID){
String sql= "SELECT * FROM users WHERE id="+userID;
List<User> result = jdbc.query(sql, userMapper);
String sql= "SELECT * FROM users WHERE id=?";
List<User> result = jdbc.query(sql, userMapper, userID);
return result.isEmpty() ? null : result.get(0);
}
@Override
public List<Long> getUserStickersFromPack(int userID, int packID) {
String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (" + userID + "," + packID + ")";
return jdbc.queryForList(sql, Long.class);
String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (?,?)";
return jdbc.queryForList(sql, Long.class, userID, packID);
}
@Override
......
delete from users;
insert into users (email, name) value ('hannah@gmail.com', 'Hannah');
insert into users (email, name) value ('nigel@gmail.com', 'Nigel');
delete from trails;
insert into trails ( Name) value ( 'Caerphilly Coffee Trail');
insert into trails ( Name) value ( 'Penarth Dragon Trail');
delete from locations;
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'St Cenydd','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Castle','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Medieval Trades','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Queen''s War','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Green Lady','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Armoury','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Architecture','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( '21st Century Landmark','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The King''s Arms','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ('Caerphilly Castle','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Risca Colliery','','Location description here','Risca',0201);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (19, 'The Esplanade','','Location description here','Penarth',0301);
insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
delete from packs;
insert into packs (name, description) value ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
insert into packs (name, description) value ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
insert into packs (name, description) value ('Welsh Heritage', 'Pack About Welsh Heritage');
delete from stickers;
insert into stickers (packID, stickerID, name, description, rarity) value (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
delete from stickerprogress;
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 1);
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 2);
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 3);
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 5);
insert into stickerprogress (userID, packID, stickerID) value (1, 2, 1);
insert into stickerprogress (userID, packID, stickerID) value (1, 2, 3);
\ No newline at end of file
DELETE FROM users;
INSERT INTO users (id, email, name) VALUE (1, 'admin@gmail.com', 'Admin');
INSERT INTO users (email, name) VALUE ('hannah@gmail.com', 'Hannah');
INSERT INTO users (email, name) VALUE ('nigel@gmail.com', 'Nigel');
INSERT INTO users (email, name) VALUE ('oscar@gmail.com', 'Nigel');
DELETE FROM trails;
INSERT INTO trails ( Name) VALUE ( 'Caerphilly Coffee Trail');
INSERT INTO trails ( Name) VALUE ( 'Penarth Dragon Trail');
DELETE FROM locations;
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'St Cenydd','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Castle','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Medieval Trades','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Queen''s War','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Green Lady','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Armoury','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Architecture','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( '21st Century Landmark','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The King''s Arms','','Location description here','Caerphilly',0102);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ('Caerphilly Castle','','Location description here','Caerphilly',0103);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Risca Colliery','','Location description here','Risca',0201);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (19, 'The Esplanade','','Location description here','Penarth',0301);
INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
DELETE FROM packs;
INSERT INTO packs (name, description) VALUE ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
INSERT INTO packs (name, description) VALUE ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
INSERT INTO packs (name, description) VALUE ('Welsh Heritage', 'Pack About Welsh Heritage');
DELETE FROM stickers;
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
DELETE FROM stickerprogress;
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 1);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 2);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 3);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 5);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 1);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 3);
\ No newline at end of file
......@@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations (
CREATE TABLE IF NOT EXISTS users (
id bigint auto_increment primary key,
email varchar(128) NOT NULL ,
name varchar(30),
name varchar(30) NOT NULL,
dragonProgress int,
dragonsLandmarkIDs longtext
);
CREATE TABLE IF NOT EXISTS packs (
id bigint auto_increment primary key,
name varchar(20),
name varchar(20) NOT NULL,
description text
);
CREATE TABLE IF NOT EXISTS stickers (
id bigint auto_increment primary key,
packID bigint,
packID bigint NOT NULL,
FOREIGN KEY (packID) REFERENCES packs(id)
ON DELETE CASCADE
ON UPDATE RESTRICT,
stickerID bigint, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
name varchar(30),
description text,
stickerID bigint NOT NULL, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
name varchar(30) NOT NULL,
description text NOT NULL,
rarity tinyint
);
CREATE TABLE IF NOT EXISTS stickerProgress (
id bigint auto_increment primary key,
userID bigint,
packID bigint,
stickerID bigint
userID bigint NOT NULL,
FOREIGN KEY (userID) REFERENCES users(id)
ON DELETE CASCADE
ON UPDATE RESTRICT,
packID bigint NOT NULL,
FOREIGN KEY (packID) REFERENCES packs(id)
ON DELETE CASCADE
ON UPDATE RESTRICT,
stickerID bigint NOT NULL,
FOREIGN KEY (stickerID) REFERENCES stickers(id)
ON DELETE CASCADE
ON UPDATE RESTRICT
);
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment