Adjusted SQL queries to better protect from SQL injection

c15217aa · Gabriel Copat · e847822d · c15217aa · c15217aa · c15217aa
Commit c15217aa authored 1 year ago by Gabriel Copat
--- a/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java
+++ b/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java
@@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
    @Override
    public List<Sticker> getAllStickersFromPack(int packID){
-        String sql= "SELECT * FROM stickers WHERE packID="+packID;
+        String sql= "SELECT * FROM stickers WHERE packID=?";
-        return jdbc.query(sql, stickerMapper);
+        return jdbc.query(sql, stickerMapper, packID);
    }
    @Override
@@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
        /* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */
        String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " +
                "ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " +
-                "WHERE stickerprogress.userID="+userID;
+                "WHERE stickerprogress.userID = ? ";
-        return jdbc.query(sql, stickerMapper);
+        return jdbc.query(sql, stickerMapper, userID);
    }
    @Override
    public Pack findPackByID(int id){
-        String sql= "SELECT * FROM packs WHERE id="+id;
+        String sql= "SELECT * FROM packs WHERE id= ?";
-        List<Pack> result = jdbc.query(sql, packMapper);
+        List<Pack> result = jdbc.query(sql, packMapper, id);
        return result.isEmpty() ? null : result.get(0);
    }
 }
--- a/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java
+++ b/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java
@@ -15,7 +15,7 @@ import java.util.List;
 @Repository
 public class UserRepositoryJDBC implements UserRepository{
-    private JdbcTemplate jdbc;
+    private final JdbcTemplate jdbc;
    private RowMapper<User> userMapper;
    public UserRepositoryJDBC(JdbcTemplate aJdbc){
@@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{
    @Override
    public User getUserById(int userID){
-        String sql= "SELECT * FROM users WHERE id="+userID;
+        String sql= "SELECT * FROM users WHERE id=?";
-        List<User> result = jdbc.query(sql, userMapper);
+        List<User> result = jdbc.query(sql, userMapper, userID);
        return result.isEmpty() ? null : result.get(0);
    }
    @Override
    public List<Long> getUserStickersFromPack(int userID, int packID) {
-        String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (" + userID + "," + packID + ")";
+        String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (?,?)";
-        return jdbc.queryForList(sql, Long.class);
+        return jdbc.queryForList(sql, Long.class, userID, packID);
    }
    @Override

--- a/src/main/resources/data.sql
+++ b/src/main/resources/data.sql
-delete from users;
+DELETE FROM users;
-insert into users (email, name) value ('hannah@gmail.com', 'Hannah');
+INSERT INTO users (id, email, name) VALUE (1, 'admin@gmail.com', 'Admin');
-insert into users (email, name) value ('nigel@gmail.com', 'Nigel');
+INSERT INTO users (email, name) VALUE ('hannah@gmail.com', 'Hannah');
+INSERT INTO users (email, name) VALUE ('nigel@gmail.com', 'Nigel');
-delete from trails;
+INSERT INTO users (email, name) VALUE ('oscar@gmail.com', 'Nigel');
-insert into trails ( Name) value ( 'Caerphilly Coffee Trail');
-insert into trails ( Name) value ( 'Penarth Dragon Trail');
+DELETE FROM trails;
+INSERT INTO trails ( Name) VALUE ( 'Caerphilly Coffee Trail');
-delete from locations;
+INSERT INTO trails ( Name) VALUE ( 'Penarth Dragon Trail');
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'St Cenydd','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Castle','','Location description here','Caerphilly',0101);
+DELETE FROM locations;
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Medieval Trades','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'St Cenydd','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Queen''s War','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Castle','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Green Lady','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Medieval Trades','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Armoury','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Queen''s War','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Architecture','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Green Lady','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( '21st Century Landmark','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Armoury','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Architecture','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( '21st Century Landmark','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The King''s Arms','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The King''s Arms','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ('Caerphilly Castle','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ('Caerphilly Castle','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Risca Colliery','','Location description here','Risca',0201);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Risca Colliery','','Location description here','Risca',0201);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
-insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (19, 'The Esplanade','','Location description here','Penarth',0301);
-insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
+INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (19, 'The Esplanade','','Location description here','Penarth',0301);
+INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
-delete from packs;
-insert into packs (name, description) value ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
-insert into packs (name, description) value ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
+DELETE FROM packs;
-insert into packs (name, description) value ('Welsh Heritage', 'Pack About Welsh Heritage');
+INSERT INTO packs (name, description) VALUE ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
+INSERT INTO packs (name, description) VALUE ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
-delete from stickers;
+INSERT INTO packs (name, description) VALUE ('Welsh Heritage', 'Pack About Welsh Heritage');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
+DELETE FROM stickers;
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
-delete from stickerprogress;
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 1);
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 2);
+DELETE FROM stickerprogress;
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 3);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 1);
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 5);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 2);
-insert into stickerprogress (userID, packID, stickerID) value (1, 2, 1);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 3);
-insert into stickerprogress (userID, packID, stickerID) value (1, 2, 3);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 5);
\ No newline at end of file
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 1);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 3);
\ No newline at end of file
--- a/src/main/resources/schema.sql
+++ b/src/main/resources/schema.sql
@@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations (
 CREATE TABLE IF NOT EXISTS users (
    id bigint auto_increment primary key,
    email varchar(128) NOT NULL ,
-    name varchar(30),
+    name varchar(30) NOT NULL,
    dragonProgress int,
    dragonsLandmarkIDs longtext
 );
 CREATE TABLE IF NOT EXISTS packs (
    id bigint auto_increment primary key,
-    name varchar(20),
+    name varchar(20) NOT NULL,
    description text
 );
 CREATE TABLE IF NOT EXISTS stickers (
    id bigint auto_increment primary key,
-    packID bigint,
+    packID bigint NOT NULL,
    FOREIGN KEY (packID) REFERENCES packs(id)
        ON DELETE CASCADE
        ON UPDATE RESTRICT,
-    stickerID bigint, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
+    stickerID bigint NOT NULL, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
-    name varchar(30),
+    name varchar(30) NOT NULL,
-    description text,
+    description text NOT NULL,
    rarity tinyint
 );
 CREATE TABLE IF NOT EXISTS stickerProgress (
    id bigint auto_increment primary key,
-    userID bigint,
+    userID bigint NOT NULL,
-    packID bigint,
+    FOREIGN KEY (userID) REFERENCES users(id)
-    stickerID bigint
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT,
+    packID bigint NOT NULL,
+    FOREIGN KEY (packID) REFERENCES packs(id)
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT,
+    stickerID bigint NOT NULL,
+        FOREIGN KEY (stickerID) REFERENCES stickers(id)
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT
 );