Skip to content

Commit

Permalink
fixed sql injection vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@nickzren
nickzren committed Oct 19, 2016
1 parent 26c1f4b commit cbc79a6
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 16 deletions.
17 changes: 9 additions & 8 deletions src/main/java/model/Input.java
View file
@@ -1,5 +1,6 @@
package model;

import java.sql.PreparedStatement;
import object.Region;
import util.DBManager;
import util.FormatManager;
Expand Down Expand Up @@ -56,11 +57,11 @@ private static Region getRegionByStr(String str) {
}

private static void initRegionListByGeneName(String geneName) throws Exception {
String sql = "SELECT * "
+ "FROM gene_region "
+ "WHERE gene_name='" + geneName + "'";
String sql = "SELECT * FROM gene_region WHERE gene_name=?";

ResultSet rset = DBManager.executeQuery(sql);
PreparedStatement stmt = DBManager.prepareStatement(sql);
stmt.setString(1, geneName);
ResultSet rset = stmt.executeQuery();

if (rset.next()) {
query = rset.getString("gene_name");
Expand All @@ -73,11 +74,11 @@ private static void initRegionListByGeneName(String geneName) throws Exception {
}

private static void initRvisByGene(String geneName) throws Exception {
String sql = "SELECT * "
+ "FROM rvis "
+ "WHERE gene_name='" + geneName + "'";
String sql = "SELECT * FROM rvis WHERE gene_name=?";

ResultSet rset = DBManager.executeQuery(sql);
PreparedStatement stmt = DBManager.prepareStatement(sql);
stmt.setString(1, geneName);
ResultSet rset = stmt.executeQuery();

if (rset.next()) {
float f = FormatManager.getFloat(rset.getObject("rvis_percent"));
Expand Down
15 changes: 9 additions & 6 deletions src/main/java/model/Output.java
View file
@@ -1,5 +1,6 @@
package model;

import java.sql.PreparedStatement;
import object.Region;
import object.Variant;
import util.DBManager;
Expand Down Expand Up @@ -38,12 +39,14 @@ public static void initVariant() throws Exception {

String sql = "SELECT * "
+ "FROM variant_v2 "
+ "WHERE chr='" + tmp[0] + "' "
+ "AND pos=" + tmp[1] + " "
+ "AND ref='" + tmp[2] + "' "
+ "AND allele='" + tmp[3] + "'";

ResultSet rset = DBManager.executeQuery(sql);
+ "WHERE chr= ? AND pos= ? AND ref= ? AND allele= ?";

PreparedStatement stmt = DBManager.prepareStatement(sql);
stmt.setString(1, tmp[0]);
stmt.setInt(2, Integer.valueOf(tmp[1]));
stmt.setString(3, tmp[2]);
stmt.setString(4, tmp[3]);
ResultSet rset = stmt.executeQuery();

if (rset.next()) {
variant = new Variant(rset);
Expand Down
7 changes: 5 additions & 2 deletions src/main/java/object/Variant.java
View file
@@ -1,5 +1,6 @@
package object;

import java.sql.PreparedStatement;
import util.DBManager;
import util.FormatManager;
import java.sql.ResultSet;
Expand Down Expand Up @@ -131,12 +132,14 @@ public Variant(ResultSet rset) throws Exception {
public void initAnnotationMap() throws Exception {
String sql = "SELECT * "
+ "FROM annotation_v2 "
+ "WHERE variant_id = " + id + " "
+ "WHERE variant_id = ? "
+ "ORDER BY igm_rank,"
// when igm_rank is the same, the data sort by "Canonical" = "YES"
+ "case when canonical is null then 1 else 0 end,canonical;";

ResultSet rset = DBManager.executeQuery(sql);
PreparedStatement stmt = DBManager.prepareStatement(sql);
stmt.setInt(1, id);
ResultSet rset = stmt.executeQuery();

while (rset.next()) {
Annotation anno = new Annotation(rset);
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/util/DBManager.java
View file
Expand Up @@ -86,4 +86,8 @@ private static void initDataFromSystemConfig() {
public static ResultSet executeQuery(String sqlQuery) throws SQLException {
return statement.executeQuery(sqlQuery);
}

public static PreparedStatement prepareStatement(String sqlQuery) throws SQLException{
return connection.prepareStatement(sqlQuery);
}
}

0 comments on commit cbc79a6

Please sign in to comment.