diff --git a/WebContent/static/inside_community.htm b/WebContent/static/inside_community.htm
index a10d665..83de616 100644
--- a/WebContent/static/inside_community.htm
+++ b/WebContent/static/inside_community.htm
@@ -6,12 +6,12 @@ Community Affairs
The successes of Altoro Mutual afford the opportunity to make the communities we serve better places to live, work and do business.
Volunteering
-The employees of Altoro Mutual not only give millions of dollars in donations but thousands of hours of volunteer time to their communities each year. Learn about our current volunteer programs.
+The employees of Altoro Mutual not only give millions of dollars in donations but thousands of hours of volunteer time to their communities each year. Learn about our current volunteer programs.
Summer 2006
-The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support. View the summary report (PDF, 800KB).
+The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support. View the summary report (PDF, 800KB).
-Download free Adobe Reader.
+Download free Adobe Reader.
-
\ No newline at end of file
+
diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java
index 55303c3..9f733ff 100644
--- a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java
+++ b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java
@@ -4,7 +4,7 @@
application security testing tools. These vulnerabilities may present risks to the
technical environment in which the application is installed. You must delete and
uninstall this demonstration application upon completion of the demonstration for
-which it is intended.
+which it is intended.
IBM DISCLAIMS ALL LIABILITY OF ANY KIND RESULTING FROM YOUR USE OF THE APPLICATION
OR YOUR FAILURE TO DELETE THE APPLICATION FROM YOUR ENVIRONMENT UPON COMPLETION OF
@@ -14,7 +14,7 @@
IBM AltoroJ
(c) Copyright IBM Corp. 2008, 2013 All Rights Reserved.
- */
+*/
package com.ibm.security.appscan.altoromutual.servlet;
import java.io.IOException;
@@ -31,77 +31,79 @@
import com.ibm.security.appscan.altoromutual.util.ServletUtil;
/**
- * This servlet processes user's login and logout operations
- * Servlet implementation class LoginServlet
- * @author Alexei
- */
+* This servlet processes user's login and logout operations
+* Servlet implementation class LoginServlet
+* @author Alexei
+*/
public class LoginServlet extends HttpServlet {
- private static final long serialVersionUID = 1L;
-
+ private static final long serialVersionUID = 1L;
+
/**
- * @see HttpServlet#HttpServlet()
- */
+ * @see HttpServlet#HttpServlet()
+ */
public LoginServlet() {
super();
}
- /**
- * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
- */
- protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
- //log out
- try {
- HttpSession session = request.getSession(false);
- session.removeAttribute(ServletUtil.SESSION_ATTR_USER);
- } catch (Exception e){
- // do nothing
- } finally {
- response.sendRedirect("index.jsp");
- }
-
- }
-
- /**
- * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
- */
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
- //log in
- // Create session if there isn't one:
- HttpSession session = request.getSession(true);
-
- String username = null;
-
- try {
- username = request.getParameter("uid");
- if (username != null)
- username = username.trim().toLowerCase();
-
- String password = request.getParameter("passw");
- password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
-
- if (!DBUtil.isValidUser(username, password)){
- Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
- throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
- }
- } catch (Exception ex) {
- request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
- response.sendRedirect("login.jsp");
- return;
- }
-
- //Handle the cookie using ServletUtil.establishSession(String)
- try{
- Cookie accountCookie = ServletUtil.establishSession(username,session);
- response.addCookie(accountCookie);
- response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
- }
- catch (Exception ex){
- ex.printStackTrace();
- response.sendError(500);
- }
-
-
- return;
- }
+ /**
+ * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+ */
+ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ //log out
+ try {
+ HttpSession session = request.getSession(false);
+ session.removeAttribute(ServletUtil.SESSION_ATTR_USER);
+ } catch (Exception e){
+ // do nothing
+ } finally {
+ response.sendRedirect("index.jsp");
+ }
+
+ }
+
+ /**
+ * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+ */
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ //log in
+ // Create session if there isn't one:
+ HttpSession session = request.getSession(true);
+
+ String username = null;
+
+ try {
+ username = request.getParameter("uid");
+ if (username != null)
+ username = username.trim().toLowerCase();
+
+ String password = request.getParameter("passw");
+ password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
+
+ if (!DBUtil.isValidUser(username, password)){
+ Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
+ throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
+ }
+ } catch (Exception ex) {
+ request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
+ response.sendRedirect("login.jsp");
+ return;
+ }
+
+ //Handle the cookie using ServletUtil.establishSession(String)
+ try{
+ Cookie accountCookie = ServletUtil.establishSession(username,session);
+ accountCookie.setHttpOnly(true);
+ accountCookie.setSecure(true);
+ response.addCookie(accountCookie);
+ response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
+ }
+ catch (Exception ex){
+ ex.printStackTrace();
+ response.sendError(500);
+ }
+
+
+ return;
+ }
}
diff --git a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java
index 3031aa8..204f4dd 100644
--- a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java
+++ b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java
@@ -77,7 +77,6 @@ private DBUtil(){
Context environmentContext = (Context) initialContext.lookup("java:comp/env");
dataSource = (DataSource)environmentContext.lookup(dataSourceName.trim());
} catch (Exception e) {
- e.printStackTrace();
Log4AltoroJ.getInstance().logError(e.getMessage());
}
@@ -210,20 +209,21 @@ public static ArrayList getFeedback (long feedbackId){
* @throws SQLException
*/
public static boolean isValidUser(String user, String password) throws SQLException{
- if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0)
- return false;
-
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
-
- ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */
-
- if (resultSet.next()){
-
- if (resultSet.getInt(1) > 0)
- return true;
- }
- return false;
+ if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0)
+ return false;
+
+ Connection connection = getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("SELECT COUNT(*) FROM PEOPLE WHERE USER_ID = ? AND PASSWORD = ?");
+ preparedStatement.setString(1, user);
+ preparedStatement.setString(2, password);
+
+ ResultSet resultSet = preparedStatement.executeQuery();
+
+ if (resultSet.next()){
+ if (resultSet.getInt(1) > 0)
+ return true;
+ }
+ return false;
}
@@ -238,9 +238,10 @@ public static User getUserInfo(String username) throws SQLException{
return null;
Connection connection = getConnection();
- Statement statement = connection.createStatement();
- ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */
-
+ PreparedStatement preparedStatement = connection.prepareStatement("SELECT FIRST_NAME, LAST_NAME, ROLE FROM PEOPLE WHERE USER_ID = ?");
+ preparedStatement.setString(1, username);
+ ResultSet resultSet = preparedStatement.executeQuery();
+
String firstName = null;
String lastName = null;
String roleString = null;
@@ -255,7 +256,7 @@ public static User getUserInfo(String username) throws SQLException{
User user = new User(username, firstName, lastName);
- if (roleString.equalsIgnoreCase("admin"))
+ if (roleString != null && roleString.equalsIgnoreCase("admin"))
user.setRole(Role.Admin);
return user;
@@ -272,8 +273,9 @@ public static Account[] getAccounts(String username) throws SQLException{
return null;
Connection connection = getConnection();
- Statement statement = connection.createStatement();
- ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */
+ PreparedStatement preparedStatement = connection.prepareStatement("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = ?");
+ preparedStatement.setString(1, username);
+ ResultSet resultSet = preparedStatement.executeQuery();
ArrayList accounts = new ArrayList(3);
while (resultSet.next()){
@@ -296,66 +298,79 @@ public static Account[] getAccounts(String username) throws SQLException{
* @return
*/
public static String transferFunds(String username, long creditActId, long debitActId, double amount) {
-
- try {
-
- User user = getUserInfo(username);
-
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
-
- Account debitAccount = Account.getAccount(debitActId);
- Account creditAccount = Account.getAccount(creditActId);
-
- if (debitAccount == null){
- return "Originating account is invalid";
- }
-
- if (creditAccount == null)
- return "Destination account is invalid";
-
- java.sql.Timestamp date = new Timestamp(new java.util.Date().getTime());
-
- //in real life we would want to do these updates and transaction entry creation
- //as one atomic operation
-
- long userCC = user.getCreditCardNumber();
-
- /* this is the account that the payment will be made from, thus negative amount!*/
- double debitAmount = -amount;
- /* this is the account that the payment will be made to, thus positive amount!*/
- double creditAmount = amount;
-
- /* Credit card account balance is the amount owed, not amount owned
- * (reverse of other accounts). Therefore we have to process balances differently*/
- if (debitAccount.getAccountId() == userCC)
- debitAmount = -debitAmount;
-
- //create transaction record
- statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"',"+((debitAccount.getAccountId() == userCC)?"'Cash Advance'":"'Withdrawal'")+","+debitAmount+")," +
- "("+creditAccount.getAccountId()+",'"+date+"',"+((creditAccount.getAccountId() == userCC)?"'Payment'":"'Deposit'")+","+creditAmount+")");
-
- Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount);
-
- if (creditAccount.getAccountId() == userCC)
- creditAmount = -creditAmount;
- //add cash advance fee since the money transfer was made from the credit card
- if (debitAccount.getAccountId() == userCC){
- statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"','Cash Advance Fee',"+CASH_ADVANCE_FEE+")");
- debitAmount += CASH_ADVANCE_FEE;
- Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE);
- }
-
- //update account balances
- statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (debitAccount.getBalance()+debitAmount) + " WHERE ACCOUNT_ID = " + debitAccount.getAccountId());
- statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (creditAccount.getBalance()+creditAmount) + " WHERE ACCOUNT_ID = " + creditAccount.getAccountId());
-
- return null;
-
- } catch (SQLException e) {
- return "Transaction failed. Please try again later.";
- }
+ try {
+
+ User user = getUserInfo(username);
+
+ Connection connection = getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?)");
+
+ Account debitAccount = Account.getAccount(debitActId);
+ Account creditAccount = Account.getAccount(creditActId);
+
+ if (debitAccount == null){
+ return "Originating account is invalid";
+ }
+
+ if (creditAccount == null)
+ return "Destination account is invalid";
+
+ java.sql.Timestamp date = new Timestamp(new java.util.Date().getTime());
+
+ double debitAmount = -amount;
+ double creditAmount = amount;
+
+ if (debitAccount.getAccountId() == user.getCreditCardNumber())
+ debitAmount = -debitAmount;
+
+ preparedStatement.setLong(1, debitAccount.getAccountId());
+ preparedStatement.setTimestamp(2, date);
+ preparedStatement.setString(3, (debitAccount.getAccountId() == user.getCreditCardNumber()) ? "Cash Advance" : "Withdrawal");
+ preparedStatement.setDouble(4, debitAmount);
+ preparedStatement.addBatch();
+
+ preparedStatement.setLong(1, creditAccount.getAccountId());
+ preparedStatement.setTimestamp(2, date);
+ preparedStatement.setString(3, (creditAccount.getAccountId() == user.getCreditCardNumber()) ? "Payment" : "Deposit");
+ preparedStatement.setDouble(4, creditAmount);
+ preparedStatement.addBatch();
+
+ preparedStatement.executeBatch();
+
+ Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount);
+
+ if (creditAccount.getAccountId() == user.getCreditCardNumber())
+ creditAmount = -creditAmount;
+
+ if (debitAccount.getAccountId() == user.getCreditCardNumber()){
+ PreparedStatement cashAdvanceStatement = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?)");
+ cashAdvanceStatement.setLong(1, debitAccount.getAccountId());
+ cashAdvanceStatement.setTimestamp(2, date);
+ cashAdvanceStatement.setString(3, "Cash Advance Fee");
+ cashAdvanceStatement.setDouble(4, CASH_ADVANCE_FEE);
+ cashAdvanceStatement.execute();
+ debitAmount += CASH_ADVANCE_FEE;
+ Log4AltoroJ.getInstance().logTransaction(String.valueOf(user.getCreditCardNumber()), "N/A", CASH_ADVANCE_FEE);
+ }
+
+ debitAccount.setBalance(debitAccount.getBalance() + debitAmount);
+ creditAccount.setBalance(creditAccount.getBalance() + creditAmount);
+ // Update account balances
+ PreparedStatement updateStatement = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?");
+ updateStatement.setDouble(1, debitAccount.getBalance());
+ updateStatement.setLong(2, debitAccount.getAccountId());
+ updateStatement.executeUpdate();
+
+ updateStatement.setDouble(1, creditAccount.getBalance());
+ updateStatement.setLong(2, creditAccount.getAccountId());
+ updateStatement.executeUpdate();
+
+ return null;
+
+ } catch (SQLException e) {
+ return "Transaction failed. Please try again later.";
+ }
}
@@ -372,53 +387,66 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac
if (accounts == null || accounts.length == 0)
return null;
- Connection connection = getConnection();
-
-
- Statement statement = connection.createStatement();
-
- if (rowCount > 0)
- statement.setMaxRows(rowCount);
+ Connection connection = getConnection();
- StringBuffer acctIds = new StringBuffer();
- acctIds.append("ACCOUNTID = " + accounts[0].getAccountId());
- for (int i=1; i0){
- dateString = "DATE > '" + startDate +" 00:00:00'";
- } else if (endDate != null && endDate.length()>0){
- dateString = "DATE < '" + endDate + " 23:59:59'";
+ String query = "SELECT * FROM TRANSACTIONS WHERE (";
+ for (int i = 0; i < accounts.length; i++) {
+ query += "ACCOUNTID = ?";
+ if (i < accounts.length - 1) {
+ query += " OR ";
}
-
- String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ;
- ResultSet resultSet = null;
-
- try {
- resultSet = statement.executeQuery(query);
- } catch (SQLException e){
- int errorCode = e.getErrorCode();
- if (errorCode == 30000)
- throw new SQLException("Date-time query must be in the format of yyyy-mm-dd HH:mm:ss", e);
+ }
+ query += ") ";
+
+ if (startDate != null && startDate.length()>0 && endDate != null && endDate.length()>0){
+ query += "AND DATE BETWEEN ? AND ? ";
+ } else if (startDate != null && startDate.length()> 0){
+ query += "AND DATE > ? ";
+ } else if (endDate != null && endDate.length()>0){
+ query += "AND DATE < ? ";
+ }
+
+ query += "ORDER BY DATE DESC";
+
+ PreparedStatement preparedStatement = connection.prepareStatement(query);
+
+ int parameterIndex = 1;
+ for (Account account : accounts) {
+ preparedStatement.setInt(parameterIndex++, account.getAccountId());
+ }
+
+ if (startDate != null && startDate.length()>0 && endDate != null && endDate.length()>0){
+ preparedStatement.setString(parameterIndex++, startDate + " 00:00:00");
+ preparedStatement.setString(parameterIndex, endDate + " 23:59:59");
+ } else if (startDate != null && startDate.length()>0){
+ preparedStatement.setString(parameterIndex, startDate + " 00:00:00");
+ } else if (endDate != null && endDate.length()>0){
+ preparedStatement.setString(parameterIndex, endDate + " 23:59:59");
+ }
+
+ ResultSet resultSet = null;
+
+ try {
+ resultSet = preparedStatement.executeQuery();
+ } catch (SQLException e){
+ int errorCode = e.getErrorCode();
+ if (errorCode == 30000)
+ throw new SQLException("Date-time query must be in the format of yyyy-mm-dd HH:mm:ss", e);
- throw e;
- }
- ArrayList transactions = new ArrayList();
- while (resultSet.next()){
- int transId = resultSet.getInt("TRANSACTION_ID");
- long actId = resultSet.getLong("ACCOUNTID");
- Timestamp date = resultSet.getTimestamp("DATE");
- String desc = resultSet.getString("TYPE");
- double amount = resultSet.getDouble("AMOUNT");
- transactions.add(new Transaction(transId, actId, date, desc, amount));
- }
-
- return transactions.toArray(new Transaction[transactions.size()]);
+ throw e;
+ }
+
+ ArrayList transactions = new ArrayList();
+ while (resultSet.next()){
+ int transId = resultSet.getInt("TRANSACTION_ID");
+ long actId = resultSet.getLong("ACCOUNTID");
+ Timestamp date = resultSet.getTimestamp("DATE");
+ String desc = resultSet.getString("TYPE");
+ double amount = resultSet.getDouble("AMOUNT");
+ transactions.add(new Transaction(transId, actId, date, desc, amount));
+ }
+
+ return transactions.toArray(new Transaction[transactions.size()]);
}
public static String[] getBankUsernames() {
@@ -429,7 +457,7 @@ public static String[] getBankUsernames() {
//at the moment this query limits transfers to
//transfers between two user accounts
ResultSet resultSet =statement.executeQuery("SELECT USER_ID FROM PEOPLE");
-
+
ArrayList users = new ArrayList();
while (resultSet.next()){
@@ -439,17 +467,17 @@ public static String[] getBankUsernames() {
return users.toArray(new String[users.size()]);
} catch (SQLException e){
- e.printStackTrace();
return new String[0];
}
}
public static Account getAccount(long accountNo) throws SQLException {
-
+
Connection connection = getConnection();
- Statement statement = connection.createStatement();
- ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = "+ accountNo +" "); /* BAD - user input should always be sanitized */
-
+ PreparedStatement statement = connection.prepareStatement("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = ?");
+ statement.setLong(1, accountNo);
+ ResultSet resultSet = statement.executeQuery();
+
ArrayList accounts = new ArrayList(3);
while (resultSet.next()){
String name = resultSet.getString("ACCOUNT_NAME");
@@ -467,8 +495,10 @@ public static Account getAccount(long accountNo) throws SQLException {
public static String addAccount(String username, String acctType) {
try {
Connection connection = getConnection();
- Statement statement = connection.createStatement();
- statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)");
+ PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES (?, ?, 0)");
+ preparedStatement.setString(1, username);
+ preparedStatement.setString(2, acctType);
+ preparedStatement.execute();
return null;
} catch (SQLException e){
return e.toString();
@@ -476,56 +506,70 @@ public static String addAccount(String username, String acctType) {
}
public static String addSpecialUser(String username, String password, String firstname, String lastname) {
- try {
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
- statement.execute("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')");
- return null;
- } catch (SQLException e){
- return e.toString();
-
- }
+ try {
+ Connection connection = getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?,?)");
+ preparedStatement.setString(1, username);
+ preparedStatement.setString(2, password);
+ preparedStatement.setString(3, firstname);
+ preparedStatement.setString(4, lastname);
+ preparedStatement.setString(5, "user");
+
+ preparedStatement.executeUpdate();
+ return null;
+ } catch (SQLException e){
+ return e.toString();
+ }
}
public static String addUser(String username, String password, String firstname, String lastname) {
- try {
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
- statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')");
- return null;
- } catch (SQLException e){
- return e.toString();
-
+ try {
+ Connection connection = getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?, 'user')");
+ preparedStatement.setString(1, username);
+ preparedStatement.setString(2, password);
+ preparedStatement.setString(3, firstname);
+ preparedStatement.setString(4, lastname);
+ preparedStatement.execute();
+ return null;
+ } catch (SQLException e){
+ return e.toString();
+ }
}
- }
public static String changePassword(String username, String password) {
- try {
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
- statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'");
- return null;
- } catch (SQLException e){
- return e.toString();
-
- }
+ try {
+ Connection connection = getConnection();
+ String query = "UPDATE PEOPLE SET PASSWORD = ? WHERE USER_ID = ?";
+ PreparedStatement preparedStatement = connection.prepareStatement(query);
+ preparedStatement.setString(1, password);
+ preparedStatement.setString(2, username);
+ preparedStatement.executeUpdate();
+ return null;
+ } catch (SQLException e) {
+ return e.toString();
+ }
}
public static long storeFeedback(String name, String email, String subject, String comments) {
- try{
- Connection connection = getConnection();
- Statement statement = connection.createStatement();
- statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS);
- ResultSet rs= statement.getGeneratedKeys();
- long id = -1;
- if (rs.next()){
- id = rs.getLong(1);
+ try{
+ Connection connection = getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES (?, ?, ?, ?)", Statement.RETURN_GENERATED_KEYS);
+ preparedStatement.setString(1, name);
+ preparedStatement.setString(2, email);
+ preparedStatement.setString(3, subject);
+ preparedStatement.setString(4, comments);
+ preparedStatement.executeUpdate();
+ ResultSet rs = preparedStatement.getGeneratedKeys();
+ long id = -1;
+ if (rs.next()){
+ id = rs.getLong(1);
+ }
+ return id;
+ } catch (SQLException e){
+ Log4AltoroJ.getInstance().logError(e.getMessage());
+ return -1;
}
- return id;
- } catch (SQLException e){
- Log4AltoroJ.getInstance().logError(e.getMessage());
- return -1;
}
- }
}
\ No newline at end of file
diff --git a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java
index 5629335..b1c5d82 100644
--- a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java
+++ b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java
@@ -13,6 +13,18 @@
import com.ibm.security.appscan.altoromutual.model.Account;
import com.ibm.security.appscan.altoromutual.model.User;
+import java.nio.charset.Charset;
+import java.security.SecureRandom;
+import java.sql.SQLException;
+import java.text.SimpleDateFormat;
+import java.util.Base64;
+import java.util.Date;
+import java.util.Random;
+import java.util.StringTokenizer;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
public class OperationsUtil {
public static String doApiTransfer(HttpServletRequest request, long creditActId, long debitActId,
@@ -145,7 +157,7 @@ public static User getUser(HttpServletRequest request) throws SQLException{
public static String makeRandomString() {
byte[] array = new byte[7]; // length is bounded by 7
- new Random().nextBytes(array);
+ new SecureRandom().nextBytes(array);
String generatedString = new String(array, Charset.forName("UTF-8"));
return generatedString;
diff --git a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
index 6524e35..e1990a8 100644
--- a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
+++ b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
@@ -343,11 +343,11 @@ public static Cookie establishSession(String username, HttpSession session){
Account[] accounts = user.getAccounts();
String accountStringList = Account.toBase64List(accounts);
Cookie accountCookie = new Cookie(ServletUtil.ALTORO_COOKIE, accountStringList);
+ accountCookie.setSecure(true);
session.setAttribute(ServletUtil.SESSION_ATTR_USER, user);
return accountCookie;
}
catch(SQLException e){
- e.printStackTrace();
return null;
}
}
@@ -360,7 +360,6 @@ static public boolean isLoggedin(HttpServletRequest request){
if (user == null)
return false;
} catch (Exception e) {
- e.printStackTrace();
return false;
}