Skip to content
Snippets Groups Projects
Commit c15217aa authored by Gabriel Copat's avatar Gabriel Copat
Browse files

Adjusted SQL queries to better protect from SQL injection

parent e847822d
No related branches found
No related tags found
1 merge request!37Resolve "As a repeat trail visitor , I want to be able to create an account so I can save and review my progress."
...@@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository { ...@@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
@Override @Override
public List<Sticker> getAllStickersFromPack(int packID){ public List<Sticker> getAllStickersFromPack(int packID){
String sql= "SELECT * FROM stickers WHERE packID="+packID; String sql= "SELECT * FROM stickers WHERE packID=?";
return jdbc.query(sql, stickerMapper); return jdbc.query(sql, stickerMapper, packID);
} }
@Override @Override
...@@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository { ...@@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
/* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */ /* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */
String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " + String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " +
"ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " + "ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " +
"WHERE stickerprogress.userID="+userID; "WHERE stickerprogress.userID = ? ";
return jdbc.query(sql, stickerMapper); return jdbc.query(sql, stickerMapper, userID);
} }
@Override @Override
public Pack findPackByID(int id){ public Pack findPackByID(int id){
String sql= "SELECT * FROM packs WHERE id="+id; String sql= "SELECT * FROM packs WHERE id= ?";
List<Pack> result = jdbc.query(sql, packMapper); List<Pack> result = jdbc.query(sql, packMapper, id);
return result.isEmpty() ? null : result.get(0); return result.isEmpty() ? null : result.get(0);
} }
} }
...@@ -15,7 +15,7 @@ import java.util.List; ...@@ -15,7 +15,7 @@ import java.util.List;
@Repository @Repository
public class UserRepositoryJDBC implements UserRepository{ public class UserRepositoryJDBC implements UserRepository{
private JdbcTemplate jdbc; private final JdbcTemplate jdbc;
private RowMapper<User> userMapper; private RowMapper<User> userMapper;
public UserRepositoryJDBC(JdbcTemplate aJdbc){ public UserRepositoryJDBC(JdbcTemplate aJdbc){
...@@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{ ...@@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{
@Override @Override
public User getUserById(int userID){ public User getUserById(int userID){
String sql= "SELECT * FROM users WHERE id="+userID; String sql= "SELECT * FROM users WHERE id=?";
List<User> result = jdbc.query(sql, userMapper); List<User> result = jdbc.query(sql, userMapper, userID);
return result.isEmpty() ? null : result.get(0); return result.isEmpty() ? null : result.get(0);
} }
@Override @Override
public List<Long> getUserStickersFromPack(int userID, int packID) { public List<Long> getUserStickersFromPack(int userID, int packID) {
String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (" + userID + "," + packID + ")"; String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (?,?)";
return jdbc.queryForList(sql, Long.class); return jdbc.queryForList(sql, Long.class, userID, packID);
} }
@Override @Override
......
delete from users; DELETE FROM users;
insert into users (email, name) value ('hannah@gmail.com', 'Hannah'); INSERT INTO users (id, email, name) VALUE (1, 'admin@gmail.com', 'Admin');
insert into users (email, name) value ('nigel@gmail.com', 'Nigel'); INSERT INTO users (email, name) VALUE ('hannah@gmail.com', 'Hannah');
INSERT INTO users (email, name) VALUE ('nigel@gmail.com', 'Nigel');
delete from trails; INSERT INTO users (email, name) VALUE ('oscar@gmail.com', 'Nigel');
insert into trails ( Name) value ( 'Caerphilly Coffee Trail');
insert into trails ( Name) value ( 'Penarth Dragon Trail'); DELETE FROM trails;
INSERT INTO trails ( Name) VALUE ( 'Caerphilly Coffee Trail');
delete from locations; INSERT INTO trails ( Name) VALUE ( 'Penarth Dragon Trail');
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'St Cenydd','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Castle','','Location description here','Caerphilly',0101); DELETE FROM locations;
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Medieval Trades','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'St Cenydd','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Queen''s War','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Castle','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Green Lady','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Medieval Trades','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Armoury','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Queen''s War','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Architecture','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Green Lady','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( '21st Century Landmark','','Location description here','Caerphilly',0101); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Armoury','','Location description here','Caerphilly',0101);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Architecture','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( '21st Century Landmark','','Location description here','Caerphilly',0101);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The King''s Arms','','Location description here','Caerphilly',0102); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The King''s Arms','','Location description here','Caerphilly',0102);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ('Caerphilly Castle','','Location description here','Caerphilly',0103); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Ty Vaughan House','','Location description here','Caerphilly',0103); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ('Caerphilly Castle','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Risca Colliery','','Location description here','Risca',0201); INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Risca Colliery','','Location description here','Risca',0201);
INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (19, 'The Esplanade','','Location description here','Penarth',0301);
insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (19, 'The Esplanade','','Location description here','Penarth',0301);
INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
delete from packs;
insert into packs (name, description) value ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
insert into packs (name, description) value ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team'); DELETE FROM packs;
insert into packs (name, description) value ('Welsh Heritage', 'Pack About Welsh Heritage'); INSERT INTO packs (name, description) VALUE ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
INSERT INTO packs (name, description) VALUE ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
delete from stickers; INSERT INTO packs (name, description) VALUE ('Welsh Heritage', 'Pack About Welsh Heritage');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 2, 'neco_williams', 'Wales Football Team Player', '2'); DELETE FROM stickers;
insert into stickers (packID, stickerID, name, description, rarity) value (1, 3, 'joe_morrell', 'Wales Football Team Player', '2'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (1, 5, 'connor_roberts', 'Wales Football Team Player', '2'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 1, 'Welsh Lady', 'Welsh Heritage', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 2, 'Welsh Outline', 'Welsh Heritage', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
insert into stickers (packID, stickerID, name, description, rarity) value (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1'); INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
delete from stickerprogress; INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 1);
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 2); DELETE FROM stickerprogress;
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 3); INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 1);
insert into stickerprogress (userID, packID, stickerID) value (1, 1, 5); INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 2);
insert into stickerprogress (userID, packID, stickerID) value (1, 2, 1); INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 3);
insert into stickerprogress (userID, packID, stickerID) value (1, 2, 3); INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 5);
\ No newline at end of file INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 1);
INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 3);
\ No newline at end of file
...@@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations ( ...@@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations (
CREATE TABLE IF NOT EXISTS users ( CREATE TABLE IF NOT EXISTS users (
id bigint auto_increment primary key, id bigint auto_increment primary key,
email varchar(128) NOT NULL , email varchar(128) NOT NULL ,
name varchar(30), name varchar(30) NOT NULL,
dragonProgress int, dragonProgress int,
dragonsLandmarkIDs longtext dragonsLandmarkIDs longtext
); );
CREATE TABLE IF NOT EXISTS packs ( CREATE TABLE IF NOT EXISTS packs (
id bigint auto_increment primary key, id bigint auto_increment primary key,
name varchar(20), name varchar(20) NOT NULL,
description text description text
); );
CREATE TABLE IF NOT EXISTS stickers ( CREATE TABLE IF NOT EXISTS stickers (
id bigint auto_increment primary key, id bigint auto_increment primary key,
packID bigint, packID bigint NOT NULL,
FOREIGN KEY (packID) REFERENCES packs(id) FOREIGN KEY (packID) REFERENCES packs(id)
ON DELETE CASCADE ON DELETE CASCADE
ON UPDATE RESTRICT, ON UPDATE RESTRICT,
stickerID bigint, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/ stickerID bigint NOT NULL, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
name varchar(30), name varchar(30) NOT NULL,
description text, description text NOT NULL,
rarity tinyint rarity tinyint
); );
CREATE TABLE IF NOT EXISTS stickerProgress ( CREATE TABLE IF NOT EXISTS stickerProgress (
id bigint auto_increment primary key, id bigint auto_increment primary key,
userID bigint, userID bigint NOT NULL,
packID bigint, FOREIGN KEY (userID) REFERENCES users(id)
stickerID bigint ON DELETE CASCADE
ON UPDATE RESTRICT,
packID bigint NOT NULL,
FOREIGN KEY (packID) REFERENCES packs(id)
ON DELETE CASCADE
ON UPDATE RESTRICT,
stickerID bigint NOT NULL,
FOREIGN KEY (stickerID) REFERENCES stickers(id)
ON DELETE CASCADE
ON UPDATE RESTRICT
); );
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment