Skip to content

Commit

Permalink
Prevent SQL-injection
Browse files Browse the repository at this point in the history
  • Loading branch information
samuel.eriksson committed Sep 4, 2013
1 parent 18d246b commit a545663
Showing 1 changed file with 11 additions and 16 deletions.
27 changes: 11 additions & 16 deletions src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java
View file
@@ -1,11 +1,9 @@
package talentum.escenic.plugins.authenticator.authenticators;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap;
Expand Down Expand Up @@ -67,20 +65,16 @@ public AuthenticatedUser authenticate(String username, String password,
}
try {


ContentManager contentManager = ContentManager.getContentManager();
List result = new ArrayList();
String sql = "SELECT * FROM " + table + " WHERE "
+ columns.get("username") + "= ? AND "
+ columns.get("password") + "= '?'";

String[] preparedVariables = new String[] {username, password};



+ columns.get("password") + "= ?";
if(log.isDebugEnabled()) {
log.debug(sql);
}
contentManager.doQuery(new Query(sql, preparedVariables, result));
contentManager.doQuery(new Query(sql, new String[] { username, password }, result));

if(log.isDebugEnabled()) {
log.debug("found " + result.size() + " records");
Expand Down Expand Up @@ -140,20 +134,21 @@ public int compare(Object o1, Object o2) {

private static class Query implements TransactionOperation {
private String query;
private String[] args;
private List list;
private String[] variables;

public Query(String query, String[] variables, List list) {
public Query(String query, String[] args, List list) {
this.query = query;
this.variables = variables;
this.args = args;
this.list = list;
}

public void execute(Transaction t) throws SQLException {
//Statement st = t.getConnection().createStatement();
Statement st = t.getConnection().prepareStatement(query, variables);
PreparedStatement prepStmt = t.getConnection().prepareStatement(query);
prepStmt.setString(1, args[0]);
prepStmt.setString(2, args[1]);
try {
ResultSet rs = st.executeQuery(query);
ResultSet rs = prepStmt.executeQuery();
ResultSetMetaData metaData = rs.getMetaData();
while (rs.next()) {
Map map = new HashMap();
Expand All @@ -163,7 +158,7 @@ public void execute(Transaction t) throws SQLException {
list.add(map);
}
} finally {
st.close();
prepStmt.close();
}
}
}
Expand Down

0 comments on commit a545663

Please sign in to comment.