From: Felix Schumacher <felix.schumacher@internetallee.de>
Date: Thu, 26 Aug 2010 17:20:04 +0000 (+0200)
Subject:  * usage of PreparedStatement to prevent sql injection
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=24b2df3a703154ecfcedf0cb7bb108717cb296c8;p=problems.git

 * usage of PreparedStatement to prevent sql injection
 * get rid of unused variable
---

diff --git a/src/org/mcb/services/udac.java b/src/org/mcb/services/udac.java
index 8ac58a0..afe59e6 100644
--- a/src/org/mcb/services/udac.java
+++ b/src/org/mcb/services/udac.java
@@ -5,8 +5,8 @@ package org.mcb.services;
  * @author yawar.saeed
  */
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import java.sql.Statement;
 
 public class udac {
 
@@ -20,7 +20,7 @@ public class udac {
 		// preparing some objects for connection
 		Connection currentCon = null;
 		ResultSet rs = null;
-		Statement stmt = null;
+		PreparedStatement stmt = null;
 		String epass = null;
 		String name = null;
 		String user_id = null;
@@ -33,18 +33,17 @@ public class udac {
 		} catch (Exception e) {
 			System.out.println(e);
 		}
-		String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ";
-		searchQuery = searchQuery + "AND LOWER(a.USER_ID) = LOWER('" + userId
-				+ "') AND a.PASSWORD = '" + epass + "'";
+		String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID "
+				+ "AND LOWER(a.USER_ID) = LOWER(?) AND a.PASSWORD = ?";
 		try {
 			// connect to DB
 			currentCon = connectionmanager.scgm_conn();
-			stmt = currentCon.createStatement();
+			stmt = currentCon.prepareStatement(searchQuery);
+			stmt.setString(1, userId);
+			stmt.setString(2, epass);
 			rs = stmt.executeQuery(searchQuery);
-			boolean hasdata = false;
 			while (rs.next()) {
 				UserBean user = new UserBean();
-				hasdata = true;
 				name = rs.getString("NAME");
 				user_id = rs.getString("USER_ID");
 				branch_code = rs.getString("BRANCH_CODE");
@@ -60,11 +59,9 @@ public class udac {
 				user.setValid(true);
 				return user;
 			}
-			if (!hasdata) {
-				System.out
-						.println("Sorry, you are not a registered user! Please sign up first "
-								+ searchQuery);
-			}
+			System.out
+					.println("Sorry, you are not a registered user! Please sign up first "
+							+ searchQuery);
 		} catch (Exception ex) {
 			System.out.println("Log In failed: An Exception has occurred! "
 					+ ex);