From c15217aa62e60a6f8dfe2d85e0566289dcfdcf34 Mon Sep 17 00:00:00 2001 From: Gabriel Copat <copatg@cardiff.ac.uk> Date: Sat, 9 Dec 2023 11:17:18 +0000 Subject: [PATCH] Adjusted SQL queries to better protect from SQL injection --- .../rewards/RewardsRepositoryJDBC.java | 12 +- .../SmartTowns/users/UserRepositoryJDBC.java | 10 +- src/main/resources/data.sql | 128 +++++++++--------- src/main/resources/schema.sql | 27 ++-- 4 files changed, 94 insertions(+), 83 deletions(-) diff --git a/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java b/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java index 4bda88a5..e824428f 100644 --- a/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java +++ b/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java @@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository { @Override public List<Sticker> getAllStickersFromPack(int packID){ - String sql= "SELECT * FROM stickers WHERE packID="+packID; - return jdbc.query(sql, stickerMapper); + String sql= "SELECT * FROM stickers WHERE packID=?"; + return jdbc.query(sql, stickerMapper, packID); } @Override @@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository { /* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */ String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " + "ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " + - "WHERE stickerprogress.userID="+userID; - return jdbc.query(sql, stickerMapper); + "WHERE stickerprogress.userID = ? "; + return jdbc.query(sql, stickerMapper, userID); } @Override public Pack findPackByID(int id){ - String sql= "SELECT * FROM packs WHERE id="+id; - List<Pack> result = jdbc.query(sql, packMapper); + String sql= "SELECT * FROM packs WHERE id= ?"; + List<Pack> result = jdbc.query(sql, packMapper, id); return result.isEmpty() ? null : result.get(0); } } diff --git a/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java b/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java index 94ed2361..0866a8a1 100644 --- a/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java +++ b/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java @@ -15,7 +15,7 @@ import java.util.List; @Repository public class UserRepositoryJDBC implements UserRepository{ - private JdbcTemplate jdbc; + private final JdbcTemplate jdbc; private RowMapper<User> userMapper; public UserRepositoryJDBC(JdbcTemplate aJdbc){ @@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{ @Override public User getUserById(int userID){ - String sql= "SELECT * FROM users WHERE id="+userID; - List<User> result = jdbc.query(sql, userMapper); + String sql= "SELECT * FROM users WHERE id=?"; + List<User> result = jdbc.query(sql, userMapper, userID); return result.isEmpty() ? null : result.get(0); } @Override public List<Long> getUserStickersFromPack(int userID, int packID) { - String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (" + userID + "," + packID + ")"; - return jdbc.queryForList(sql, Long.class); + String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (?,?)"; + return jdbc.queryForList(sql, Long.class, userID, packID); } @Override diff --git a/src/main/resources/data.sql b/src/main/resources/data.sql index 830f9672..3962ef2f 100644 --- a/src/main/resources/data.sql +++ b/src/main/resources/data.sql @@ -1,63 +1,65 @@ -delete from users; -insert into users (email, name) value ('hannah@gmail.com', 'Hannah'); -insert into users (email, name) value ('nigel@gmail.com', 'Nigel'); - -delete from trails; -insert into trails ( Name) value ( 'Caerphilly Coffee Trail'); -insert into trails ( Name) value ( 'Penarth Dragon Trail'); - -delete from locations; -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'St Cenydd','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Castle','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Medieval Trades','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Queen''s War','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Green Lady','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Armoury','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Architecture','','Location description here','Caerphilly',0101); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( '21st Century Landmark','','Location description here','Caerphilly',0101); - -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The King''s Arms','','Location description here','Caerphilly',0102); - -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ('Caerphilly Castle','','Location description here','Caerphilly',0103); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Ty Vaughan House','','Location description here','Caerphilly',0103); - -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Risca Colliery','','Location description here','Risca',0201); -insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201); - - -insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (19, 'The Esplanade','','Location description here','Penarth',0301); -insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (20, 'The Old Swimming Baths','','Location description here','Penarth',0301); - - -delete from packs; -insert into packs (name, description) value ('Wales Football Team', 'Pack of Welsh Football Players in the National Team'); -insert into packs (name, description) value ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team'); -insert into packs (name, description) value ('Welsh Heritage', 'Pack About Welsh Heritage'); - -delete from stickers; -insert into stickers (packID, stickerID, name, description, rarity) value (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2'); -insert into stickers (packID, stickerID, name, description, rarity) value (1, 2, 'neco_williams', 'Wales Football Team Player', '2'); -insert into stickers (packID, stickerID, name, description, rarity) value (1, 3, 'joe_morrell', 'Wales Football Team Player', '2'); -insert into stickers (packID, stickerID, name, description, rarity) value (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2'); -insert into stickers (packID, stickerID, name, description, rarity) value (1, 5, 'connor_roberts', 'Wales Football Team Player', '2'); -insert into stickers (packID, stickerID, name, description, rarity) value (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (3, 1, 'Welsh Lady', 'Welsh Heritage', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (3, 2, 'Welsh Outline', 'Welsh Heritage', '1'); -insert into stickers (packID, stickerID, name, description, rarity) value (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1'); - -delete from stickerprogress; -insert into stickerprogress (userID, packID, stickerID) value (1, 1, 1); -insert into stickerprogress (userID, packID, stickerID) value (1, 1, 2); -insert into stickerprogress (userID, packID, stickerID) value (1, 1, 3); -insert into stickerprogress (userID, packID, stickerID) value (1, 1, 5); -insert into stickerprogress (userID, packID, stickerID) value (1, 2, 1); -insert into stickerprogress (userID, packID, stickerID) value (1, 2, 3); \ No newline at end of file +DELETE FROM users; +INSERT INTO users (id, email, name) VALUE (1, 'admin@gmail.com', 'Admin'); +INSERT INTO users (email, name) VALUE ('hannah@gmail.com', 'Hannah'); +INSERT INTO users (email, name) VALUE ('nigel@gmail.com', 'Nigel'); +INSERT INTO users (email, name) VALUE ('oscar@gmail.com', 'Nigel'); + +DELETE FROM trails; +INSERT INTO trails ( Name) VALUE ( 'Caerphilly Coffee Trail'); +INSERT INTO trails ( Name) VALUE ( 'Penarth Dragon Trail'); + +DELETE FROM locations; +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'St Cenydd','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Castle','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Medieval Trades','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Queen''s War','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Green Lady','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Armoury','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Architecture','','Location description here','Caerphilly',0101); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( '21st Century Landmark','','Location description here','Caerphilly',0101); + +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The King''s Arms','','Location description here','Caerphilly',0102); + +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ('Caerphilly Castle','','Location description here','Caerphilly',0103); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Ty Vaughan House','','Location description here','Caerphilly',0103); + +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Risca Colliery','','Location description here','Risca',0201); +INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201); + + +INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (19, 'The Esplanade','','Location description here','Penarth',0301); +INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (20, 'The Old Swimming Baths','','Location description here','Penarth',0301); + + +DELETE FROM packs; +INSERT INTO packs (name, description) VALUE ('Wales Football Team', 'Pack of Welsh Football Players in the National Team'); +INSERT INTO packs (name, description) VALUE ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team'); +INSERT INTO packs (name, description) VALUE ('Welsh Heritage', 'Pack About Welsh Heritage'); + +DELETE FROM stickers; +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 2, 'neco_williams', 'Wales Football Team Player', '2'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 3, 'joe_morrell', 'Wales Football Team Player', '2'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 5, 'connor_roberts', 'Wales Football Team Player', '2'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 1, 'Welsh Lady', 'Welsh Heritage', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 2, 'Welsh Outline', 'Welsh Heritage', '1'); +INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1'); + +DELETE FROM stickerprogress; +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 1); +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 2); +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 3); +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 5); +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 1); +INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 3); \ No newline at end of file diff --git a/src/main/resources/schema.sql b/src/main/resources/schema.sql index 8069cb3f..0a6a3f2b 100644 --- a/src/main/resources/schema.sql +++ b/src/main/resources/schema.sql @@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations ( CREATE TABLE IF NOT EXISTS users ( id bigint auto_increment primary key, email varchar(128) NOT NULL , - name varchar(30), + name varchar(30) NOT NULL, dragonProgress int, dragonsLandmarkIDs longtext ); CREATE TABLE IF NOT EXISTS packs ( id bigint auto_increment primary key, - name varchar(20), + name varchar(20) NOT NULL, description text ); CREATE TABLE IF NOT EXISTS stickers ( id bigint auto_increment primary key, - packID bigint, + packID bigint NOT NULL, FOREIGN KEY (packID) REFERENCES packs(id) ON DELETE CASCADE ON UPDATE RESTRICT, - stickerID bigint, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/ - name varchar(30), - description text, + stickerID bigint NOT NULL, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/ + name varchar(30) NOT NULL, + description text NOT NULL, rarity tinyint ); CREATE TABLE IF NOT EXISTS stickerProgress ( id bigint auto_increment primary key, - userID bigint, - packID bigint, - stickerID bigint + userID bigint NOT NULL, + FOREIGN KEY (userID) REFERENCES users(id) + ON DELETE CASCADE + ON UPDATE RESTRICT, + packID bigint NOT NULL, + FOREIGN KEY (packID) REFERENCES packs(id) + ON DELETE CASCADE + ON UPDATE RESTRICT, + stickerID bigint NOT NULL, + FOREIGN KEY (stickerID) REFERENCES stickers(id) + ON DELETE CASCADE + ON UPDATE RESTRICT ); -- GitLab