[JM-1488] - Using Prepared Statement Values to prevent SQL Injection

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10869 b35dd754-fafc-0310-a699-88a17e54d16e

[JM-1488] - Using Prepared Statement Values to prevent SQL Injection
git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10869 b35dd754-fafc-0310-a699-88a17e54d16e
edcfb96b · Thiago Camargo · thiago · 3e99d975 · edcfb96b · edcfb96b
Commit edcfb96b authored Nov 10, 2008 by Thiago Camargo Committed by thiago Nov 10, 2008
Show whitespace changes
Inline Side-by-side

Showing with 225 additions and 172 deletions

CallFilter.java ...ava/org/jivesoftware/openfire/sip/calllog/CallFilter.java +29 -0

CallLogDAO.java ...ava/org/jivesoftware/openfire/sip/calllog/CallLogDAO.java +196 -172

No files found.
--- a/src/plugins/sip/src/java/org/jivesoftware/openfire/sip/calllog/CallFilter.java
+++ b/src/plugins/sip/src/java/org/jivesoftware/openfire/sip/calllog/CallFilter.java
+package org.jivesoftware.openfire.sip.calllog;
+
+import java.util.List;
+
+/**
+ * Holds filtering information for SIP Call Log Display
+ */
+public class CallFilter {
+
+    private String SQL;
+    private List<String> values;
+
+    public CallFilter(String SQL, List<String> values) {
+        this.SQL = SQL;
+        this.values = values;
+    }
+
+    public void setSQL(String SQL) {
+        this.SQL = SQL;
+    }
+
+    public List<String> getValues() {
+        return values;
+    }
+
+    public String getSQL() {
+        return SQL;
+    }
+}
\ No newline at end of file
--- a/src/plugins/sip/src/java/org/jivesoftware/openfire/sip/calllog/CallLogDAO.java
+++ b/src/plugins/sip/src/java/org/jivesoftware/openfire/sip/calllog/CallLogDAO.java
@@ -25,29 +25,29 @@ import java.util.Date;
 import java.util.List;

 /**
- *
 * Database persistence for CallLog class and database methods for call log store
 *
 * @author Thiago Rocha Camargo
 */
 public class CallLogDAO {

+    final static CallFilter emptyFilter = new CallFilter("", new ArrayList<String>());
+
    /**
-     *
     * Return every stored calls that matches to the SQLCondition in the interval between startIndex and endIndex
     *
-     * @param SQLCondition the content of a SQL "Where" clause.
-     * @param startIndex
-     * @param numResults
+     * @param filter     the content of a SQL "Where" clause.
+     * @param startIndex start index of results
+     * @param numResults number of resultes to return
     * @return Collection<CallLog>;
     */
-    public static Collection<CallLog> getCalls(String SQLCondition,
+    public static Collection<CallLog> getCalls(CallFilter filter,
                                               int startIndex, int numResults) {

        String sql = "SELECT * FROM ofSipPhoneLog";

-		sql = SQLCondition != null && !SQLCondition.equals("") ? sql
-				+ " WHERE " + SQLCondition : sql;
+        sql = filter != null && !filter.getSQL().equals("") ? sql
+                + " WHERE " + filter.getSQL() : sql;

        sql += " ORDER BY datetime DESC";

@@ -58,6 +58,12 @@ public class CallLogDAO {
            con = DbConnectionManager.getConnection();
            pstmt = DbConnectionManager.createScrollablePreparedStatement(con,
                    sql);
+
+            int i = 1;
+            for (String value : filter.getValues()) {
+                pstmt.setString(i++, value);
+            }
+
            ResultSet rs = pstmt.executeQuery();
            DbConnectionManager.setFetchSize(rs, startIndex + numResults);
            DbConnectionManager.scrollResultSet(rs, startIndex);
@@ -90,7 +96,6 @@ public class CallLogDAO {


    /**
-     *
     * Read a callLog result set and return a CallLog instance with the information of the resultSet
     *
     * @param rs ResultSet
@@ -127,10 +132,9 @@ public class CallLogDAO {
    }

    /**
-     *
     * Insert a new CallLog into the database
     *
-     * @param callLog
+     * @param callLog call logging
     * @throws SQLException
     */
    public static void insert(CallLog callLog) throws SQLException {
@@ -165,35 +169,36 @@ public class CallLogDAO {

    /**
     * Gets all calls in database for the given range
+     *
     * @param startIndex
     * @param numResults
     * @return Collection<CallLog>
     */
    public static Collection<CallLog> getCalls(int startIndex, int numResults) {
-		return getCalls("", startIndex, numResults);
+        return getCalls(emptyFilter, startIndex, numResults);
    }

    /**
     * Return the number of callLog stored
+     *
     * @return int number
     */
    public static int getLogCount() {
-		return getLogCount("");
+        return getLogCount(emptyFilter);
    }

    /**
-     *
     * Return the number of store callLogs for the given SQLCondition
     *
-     * @param SQLCondition
+     * @param filter call filter
     * @return int number
     */
-    public static int getLogCount(String SQLCondition) {
+    public static int getLogCount(CallFilter filter) {
        int count = 0;

        String sql = "SELECT count(*) FROM ofSipPhoneLog";

-		sql = SQLCondition != null && !SQLCondition.equals("") ? sql + " WHERE " + SQLCondition
+        sql = filter != null && !filter.getSQL().equals("") ? sql + " WHERE " + filter.getSQL()
                : sql;

        Connection con = null;
@@ -201,6 +206,12 @@ public class CallLogDAO {
        try {
            con = DbConnectionManager.getConnection();
            pstmt = con.prepareStatement(sql);
+
+            int i = 1;
+            for (String value : filter.getValues()) {
+                pstmt.setString(i++, value);
+            }
+
            ResultSet rs = pstmt.executeQuery();
            if (rs.next()) {
                count = rs.getInt(1);
@@ -238,28 +249,41 @@ public class CallLogDAO {
     * @param uptoDate
     * @return String
     */
-    public static String createSQLFilter(String username, String numa, String numb,
+    public static CallFilter createSQLFilter(String username, String numa, String numb,
                                             String callType, Date fromDate, Date uptoDate) {

        ArrayList<String> conditions = new ArrayList<String>(10);
+        ArrayList<String> values = new ArrayList<String>(10);

-		if (username != null && !username.trim().equals(""))
-			conditions.add(" username = '" + username.trim() + "' ");
+        if (username != null && !username.trim().equals("")) {
+            conditions.add(" username = ? ");
+            values.add(username.trim());
+        }

-		if (numa != null && !numa.trim().equals(""))
-			conditions.add(" addressFrom = '" + numa.trim() + "' ");
+        if (numa != null && !numa.trim().equals("")) {
+            conditions.add(" addressFrom = ? ");
+            values.add(numa.trim());
+        }

-		if (numb != null && !numb.trim().equals(""))
-			conditions.add(" addressTo = '" + numb.trim() + "' ");
+        if (numb != null && !numb.trim().equals("")) {
+            conditions.add(" addressTo = ? ");
+            values.add(numb.trim());
+        }

-		if (fromDate != null)
-			conditions.add(" datetime >= '" + fromDate.getTime() + "' ");
+        if (fromDate != null) {
+            conditions.add(" datetime >= ? ");
+            values.add(String.valueOf(fromDate.getTime()));
+        }

-		if (uptoDate != null)
-			conditions.add(" datetime <= '" + uptoDate.getTime() + "' ");
+        if (uptoDate != null) {
+            conditions.add(" datetime <= ? ");
+            values.add(String.valueOf(uptoDate.getTime()));
+        }

-		if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all"))
-			conditions.add(" calltype = '" + callType.trim() + "' ");
+        if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all")) {
+            conditions.add(" calltype = ? ");
+            values.add(callType.trim());
+        }

        StringBuilder str = new StringBuilder();
        for (String aux : conditions) {
@@ -268,7 +292,7 @@ public class CallLogDAO {
            str.append(aux);
        }

-		return str.toString();
+        return new CallFilter(str.toString(), values);
    }

 }