From c15217aa62e60a6f8dfe2d85e0566289dcfdcf34 Mon Sep 17 00:00:00 2001
From: Gabriel Copat <copatg@cardiff.ac.uk>
Date: Sat, 9 Dec 2023 11:17:18 +0000
Subject: [PATCH] Adjusted SQL queries to better protect from SQL injection

---
 .../rewards/RewardsRepositoryJDBC.java        |  12 +-
 .../SmartTowns/users/UserRepositoryJDBC.java  |  10 +-
 src/main/resources/data.sql                   | 128 +++++++++---------
 src/main/resources/schema.sql                 |  27 ++--
 4 files changed, 94 insertions(+), 83 deletions(-)

diff --git a/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java b/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java
index 4bda88a5..e824428f 100644
--- a/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java
+++ b/src/main/java/Team5/SmartTowns/rewards/RewardsRepositoryJDBC.java
@@ -50,8 +50,8 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
 
     @Override
     public List<Sticker> getAllStickersFromPack(int packID){
-        String sql= "SELECT * FROM stickers WHERE packID="+packID;
-        return jdbc.query(sql, stickerMapper);
+        String sql= "SELECT * FROM stickers WHERE packID=?";
+        return jdbc.query(sql, stickerMapper, packID);
     }
 
     @Override
@@ -59,14 +59,14 @@ public class RewardsRepositoryJDBC implements RewardsRepository {
         /* FINDS ALL STICKERS UNLOCKED BY THE GIVEN USER */
         String sql= "SELECT * FROM stickers LEFT JOIN stickerprogress " +
                 "ON (stickers.id, stickers.packID) = (stickerprogress.stickerID, stickerprogress.packID) " +
-                "WHERE stickerprogress.userID="+userID;
-        return jdbc.query(sql, stickerMapper);
+                "WHERE stickerprogress.userID = ? ";
+        return jdbc.query(sql, stickerMapper, userID);
     }
 
     @Override
     public Pack findPackByID(int id){
-        String sql= "SELECT * FROM packs WHERE id="+id;
-        List<Pack> result = jdbc.query(sql, packMapper);
+        String sql= "SELECT * FROM packs WHERE id= ?";
+        List<Pack> result = jdbc.query(sql, packMapper, id);
         return result.isEmpty() ? null : result.get(0);
     }
 }
diff --git a/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java b/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java
index 94ed2361..0866a8a1 100644
--- a/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java
+++ b/src/main/java/Team5/SmartTowns/users/UserRepositoryJDBC.java
@@ -15,7 +15,7 @@ import java.util.List;
 
 @Repository
 public class UserRepositoryJDBC implements UserRepository{
-    private JdbcTemplate jdbc;
+    private final JdbcTemplate jdbc;
     private RowMapper<User> userMapper;
 
     public UserRepositoryJDBC(JdbcTemplate aJdbc){
@@ -40,15 +40,15 @@ public class UserRepositoryJDBC implements UserRepository{
 
     @Override
     public User getUserById(int userID){
-        String sql= "SELECT * FROM users WHERE id="+userID;
-        List<User> result = jdbc.query(sql, userMapper);
+        String sql= "SELECT * FROM users WHERE id=?";
+        List<User> result = jdbc.query(sql, userMapper, userID);
         return result.isEmpty() ? null : result.get(0);
     }
 
     @Override
     public List<Long> getUserStickersFromPack(int userID, int packID) {
-        String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (" + userID + "," + packID + ")";
-        return jdbc.queryForList(sql, Long.class);
+        String sql = "SELECT stickerID FROM stickerprogress WHERE (userID, packID)= (?,?)";
+        return jdbc.queryForList(sql, Long.class, userID, packID);
     }
 
     @Override
diff --git a/src/main/resources/data.sql b/src/main/resources/data.sql
index 830f9672..3962ef2f 100644
--- a/src/main/resources/data.sql
+++ b/src/main/resources/data.sql
@@ -1,63 +1,65 @@
-delete from users;
-insert into users (email, name) value ('hannah@gmail.com', 'Hannah');
-insert into users (email, name) value ('nigel@gmail.com', 'Nigel');
-
-delete from trails;
-insert into trails ( Name) value ( 'Caerphilly Coffee Trail');
-insert into trails ( Name) value ( 'Penarth Dragon Trail');
-
-delete from locations;
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'St Cenydd','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Castle','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Medieval Trades','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Queen''s War','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Green Lady','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Armoury','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Architecture','','Location description here','Caerphilly',0101);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( '21st Century Landmark','','Location description here','Caerphilly',0101);
-
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The King''s Arms','','Location description here','Caerphilly',0102);
-
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ('Caerphilly Castle','','Location description here','Caerphilly',0103);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
-
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Risca Colliery','','Location description here','Risca',0201);
-insert into locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
-
-
-insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (19, 'The Esplanade','','Location description here','Penarth',0301);
-insert into locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) value (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
-
-
-delete from packs;
-insert into packs (name, description) value ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
-insert into packs (name, description) value ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
-insert into packs (name, description) value ('Welsh Heritage', 'Pack About Welsh Heritage');
-
-delete from stickers;
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
-insert into stickers (packID, stickerID, name, description, rarity) value (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
-
-delete from stickerprogress;
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 1);
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 2);
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 3);
-insert into stickerprogress (userID, packID, stickerID) value (1, 1, 5);
-insert into stickerprogress (userID, packID, stickerID) value (1, 2, 1);
-insert into stickerprogress (userID, packID, stickerID) value (1, 2, 3);
\ No newline at end of file
+DELETE FROM users;
+INSERT INTO users (id, email, name) VALUE (1, 'admin@gmail.com', 'Admin');
+INSERT INTO users (email, name) VALUE ('hannah@gmail.com', 'Hannah');
+INSERT INTO users (email, name) VALUE ('nigel@gmail.com', 'Nigel');
+INSERT INTO users (email, name) VALUE ('oscar@gmail.com', 'Nigel');
+
+DELETE FROM trails;
+INSERT INTO trails ( Name) VALUE ( 'Caerphilly Coffee Trail');
+INSERT INTO trails ( Name) VALUE ( 'Penarth Dragon Trail');
+
+DELETE FROM locations;
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'St Cenydd','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Castle','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Medieval Trades','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Queen''s War','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Green Lady','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Armoury','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Architecture','','Location description here','Caerphilly',0101);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( '21st Century Landmark','','Location description here','Caerphilly',0101);
+
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'JD Wetherspoons-Malcolm Uphill','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Cwtch','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Conservative Club','','Location description here','Caerphilly',0102);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The King''s Arms','','Location description here','Caerphilly',0102);
+
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Caerphilly Bus Station','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'The Medieval Courthouse','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ('Caerphilly Castle','','Location description here','Caerphilly',0103);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Ty Vaughan House','','Location description here','Caerphilly',0103);
+
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Risca Colliery','','Location description here','Risca',0201);
+INSERT INTO locations ( locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE ( 'Black Vein Colliery Disaster','','Location description here','Risca',0201);
+
+
+INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (19, 'The Esplanade','','Location description here','Penarth',0301);
+INSERT INTO locations (locationID, locationName , locationEmail,locationDescription,locationPlace, locationTrailID) VALUE (20, 'The Old Swimming Baths','','Location description here','Penarth',0301);
+
+
+DELETE FROM packs;
+INSERT INTO packs (name, description) VALUE ('Wales Football Team', 'Pack of Welsh Football Players in the National Team');
+INSERT INTO packs (name, description) VALUE ('Wales Rugby Team', 'Pack of Welsh Rugby Players in the National Team');
+INSERT INTO packs (name, description) VALUE ('Welsh Heritage', 'Pack About Welsh Heritage');
+
+DELETE FROM stickers;
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 1, 'wayne_hennessey', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 2, 'neco_williams', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 3, 'joe_morrell', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 4, 'ethan_ampadu', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (1, 5, 'connor_roberts', 'Wales Football Team Player', '2');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 1, 'Taine_Basham', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 2, 'Adam Beard', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 3, 'Elliot Dee', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 4, 'Corey Domachowski', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (2, 5, 'Ryan Elias', 'Wales Rugby Team Player', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 1, 'Welsh Lady', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 2, 'Welsh Outline', 'Welsh Heritage', '1');
+INSERT INTO stickers (packID, stickerID, name, description, rarity) VALUE (3, 3, 'Welsh Spoon', 'Welsh Heritage', '1');
+
+DELETE FROM stickerprogress;
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 1);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 2);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 3);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 1, 5);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 1);
+INSERT INTO stickerprogress (userID, packID, stickerID) VALUE (1, 2, 3);
\ No newline at end of file
diff --git a/src/main/resources/schema.sql b/src/main/resources/schema.sql
index 8069cb3f..0a6a3f2b 100644
--- a/src/main/resources/schema.sql
+++ b/src/main/resources/schema.sql
@@ -32,32 +32,41 @@ CREATE TABLE IF NOT EXISTS locations (
 CREATE TABLE IF NOT EXISTS users (
     id bigint auto_increment primary key,
     email varchar(128) NOT NULL ,
-    name varchar(30),
+    name varchar(30) NOT NULL,
     dragonProgress int,
     dragonsLandmarkIDs longtext
 );
 
 CREATE TABLE IF NOT EXISTS packs (
     id bigint auto_increment primary key,
-    name varchar(20),
+    name varchar(20) NOT NULL,
     description text
 );
 
 CREATE TABLE IF NOT EXISTS stickers (
     id bigint auto_increment primary key,
-    packID bigint,
+    packID bigint NOT NULL,
     FOREIGN KEY (packID) REFERENCES packs(id)
         ON DELETE CASCADE
         ON UPDATE RESTRICT,
-    stickerID bigint, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
-    name varchar(30),
-    description text,
+    stickerID bigint NOT NULL, /*STICKER ID NUMBER WITHIN ITS OWN PACK*/
+    name varchar(30) NOT NULL,
+    description text NOT NULL,
     rarity tinyint
 );
 
 CREATE TABLE IF NOT EXISTS stickerProgress (
     id bigint auto_increment primary key,
-    userID bigint,
-    packID bigint,
-    stickerID bigint
+    userID bigint NOT NULL,
+    FOREIGN KEY (userID) REFERENCES users(id)
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT,
+    packID bigint NOT NULL,
+    FOREIGN KEY (packID) REFERENCES packs(id)
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT,
+    stickerID bigint NOT NULL,
+        FOREIGN KEY (stickerID) REFERENCES stickers(id)
+        ON DELETE CASCADE
+        ON UPDATE RESTRICT
 );
-- 
GitLab