Commit edcfb96b authored by Thiago Camargo's avatar Thiago Camargo Committed by thiago

[JM-1488] - Using Prepared Statement Values to prevent SQL Injection


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10869 b35dd754-fafc-0310-a699-88a17e54d16e
parent 3e99d975
package org.jivesoftware.openfire.sip.calllog;
import java.util.List;
/**
* Holds filtering information for SIP Call Log Display
*/
public class CallFilter {
private String SQL;
private List<String> values;
public CallFilter(String SQL, List<String> values) {
this.SQL = SQL;
this.values = values;
}
public void setSQL(String SQL) {
this.SQL = SQL;
}
public List<String> getValues() {
return values;
}
public String getSQL() {
return SQL;
}
}
\ No newline at end of file
...@@ -25,86 +25,91 @@ import java.util.Date; ...@@ -25,86 +25,91 @@ import java.util.Date;
import java.util.List; import java.util.List;
/** /**
*
* Database persistence for CallLog class and database methods for call log store * Database persistence for CallLog class and database methods for call log store
* *
* @author Thiago Rocha Camargo * @author Thiago Rocha Camargo
*/ */
public class CallLogDAO { public class CallLogDAO {
final static CallFilter emptyFilter = new CallFilter("", new ArrayList<String>());
/** /**
*
* Return every stored calls that matches to the SQLCondition in the interval between startIndex and endIndex * Return every stored calls that matches to the SQLCondition in the interval between startIndex and endIndex
* *
* @param SQLCondition the content of a SQL "Where" clause. * @param filter the content of a SQL "Where" clause.
* @param startIndex * @param startIndex start index of results
* @param numResults * @param numResults number of resultes to return
* @return Collection<CallLog>; * @return Collection<CallLog>;
*/ */
public static Collection<CallLog> getCalls(String SQLCondition, public static Collection<CallLog> getCalls(CallFilter filter,
int startIndex, int numResults) { int startIndex, int numResults) {
String sql = "SELECT * FROM ofSipPhoneLog"; String sql = "SELECT * FROM ofSipPhoneLog";
sql = SQLCondition != null && !SQLCondition.equals("") ? sql sql = filter != null && !filter.getSQL().equals("") ? sql
+ " WHERE " + SQLCondition : sql; + " WHERE " + filter.getSQL() : sql;
sql += " ORDER BY datetime DESC"; sql += " ORDER BY datetime DESC";
List<CallLog> calls = new ArrayList<CallLog>(numResults); List<CallLog> calls = new ArrayList<CallLog>(numResults);
Connection con = null; Connection con = null;
PreparedStatement pstmt = null; PreparedStatement pstmt = null;
try { try {
con = DbConnectionManager.getConnection(); con = DbConnectionManager.getConnection();
pstmt = DbConnectionManager.createScrollablePreparedStatement(con, pstmt = DbConnectionManager.createScrollablePreparedStatement(con,
sql); sql);
ResultSet rs = pstmt.executeQuery();
DbConnectionManager.setFetchSize(rs, startIndex + numResults); int i = 1;
DbConnectionManager.scrollResultSet(rs, startIndex); for (String value : filter.getValues()) {
int count = 0; pstmt.setString(i++, value);
while (rs.next() && count < numResults) { }
calls.add(read(rs));
count++; ResultSet rs = pstmt.executeQuery();
} DbConnectionManager.setFetchSize(rs, startIndex + numResults);
rs.close(); DbConnectionManager.scrollResultSet(rs, startIndex);
} catch (SQLException e) { int count = 0;
Log.error(e); while (rs.next() && count < numResults) {
} finally { calls.add(read(rs));
try { count++;
if (pstmt != null) { }
pstmt.close(); rs.close();
} } catch (SQLException e) {
} catch (Exception e) { Log.error(e);
Log.error(e); } finally {
} try {
try { if (pstmt != null) {
if (con != null) { pstmt.close();
con.close(); }
} } catch (Exception e) {
} catch (Exception e) { Log.error(e);
Log.error(e); }
} try {
} if (con != null) {
return calls; con.close();
} }
} catch (Exception e) {
Log.error(e);
}
}
return calls;
}
/** /**
*
* Read a callLog result set and return a CallLog instance with the information of the resultSet * Read a callLog result set and return a CallLog instance with the information of the resultSet
* *
* @param rs ResultSet * @param rs ResultSet
* @return CallLog * @return CallLog
*/ */
private static CallLog read(ResultSet rs) { private static CallLog read(ResultSet rs) {
CallLog callLog = null; CallLog callLog = null;
try { try {
String username = rs.getString("username"); String username = rs.getString("username");
String numA = rs.getString("addressFrom"); String numA = rs.getString("addressFrom");
String numB = rs.getString("addressTo"); String numB = rs.getString("addressTo");
long dateTime = rs.getLong("datetime"); long dateTime = rs.getLong("datetime");
int duration = rs.getInt("duration"); int duration = rs.getInt("duration");
String callType = rs.getString("calltype"); String callType = rs.getString("calltype");
if ("loss".equals(callType)) { if ("loss".equals(callType)) {
// Backwards compatibility change // Backwards compatibility change
...@@ -112,120 +117,126 @@ public class CallLogDAO { ...@@ -112,120 +117,126 @@ public class CallLogDAO {
} }
CallLog.Type type = CallLog.Type.valueOf(callType); CallLog.Type type = CallLog.Type.valueOf(callType);
callLog = new CallLog(username); callLog = new CallLog(username);
callLog.setNumA(numA); callLog.setNumA(numA);
callLog.setNumB(numB); callLog.setNumB(numB);
callLog.setDateTime(dateTime); callLog.setDateTime(dateTime);
callLog.setDuration(duration); callLog.setDuration(duration);
callLog.setType(type); callLog.setType(type);
} catch (SQLException e) { } catch (SQLException e) {
Log.error(e.getMessage(), e); Log.error(e.getMessage(), e);
} }
return callLog; return callLog;
} }
/** /**
*
* Insert a new CallLog into the database * Insert a new CallLog into the database
* *
* @param callLog * @param callLog call logging
* @throws SQLException * @throws SQLException
*/ */
public static void insert(CallLog callLog) throws SQLException { public static void insert(CallLog callLog) throws SQLException {
String sql = "INSERT INTO ofSipPhoneLog (username, addressFrom, addressTo, datetime, duration, calltype) " String sql = "INSERT INTO ofSipPhoneLog (username, addressFrom, addressTo, datetime, duration, calltype) "
+ " values (?, ?, ?, ?, ?, ?)"; + " values (?, ?, ?, ?, ?, ?)";
Connection con = null; Connection con = null;
PreparedStatement psmt = null; PreparedStatement psmt = null;
ResultSet rs = null; ResultSet rs = null;
try { try {
con = DbConnectionManager.getConnection(); con = DbConnectionManager.getConnection();
psmt = con.prepareStatement(sql); psmt = con.prepareStatement(sql);
psmt.setString(1, callLog.getUsername()); psmt.setString(1, callLog.getUsername());
psmt.setString(2, callLog.getNumA()); psmt.setString(2, callLog.getNumA());
psmt.setString(3, callLog.getNumB()); psmt.setString(3, callLog.getNumB());
psmt.setLong(4, callLog.getDateTime()); psmt.setLong(4, callLog.getDateTime());
psmt.setInt(5, callLog.getDuration()); psmt.setInt(5, callLog.getDuration());
psmt.setString(6, callLog.getType().name()); psmt.setString(6, callLog.getType().name());
psmt.executeUpdate(); psmt.executeUpdate();
} catch (SQLException e) { } catch (SQLException e) {
Log.error(e.getMessage(), e); Log.error(e.getMessage(), e);
throw new SQLException(e.getMessage()); throw new SQLException(e.getMessage());
} finally { } finally {
DbConnectionManager.closeConnection(rs, psmt, con); DbConnectionManager.closeConnection(rs, psmt, con);
} }
} }
/** /**
* Gets all calls in database for the given range * Gets all calls in database for the given range
*
* @param startIndex * @param startIndex
* @param numResults * @param numResults
* @return Collection<CallLog> * @return Collection<CallLog>
*/ */
public static Collection<CallLog> getCalls(int startIndex, int numResults) { public static Collection<CallLog> getCalls(int startIndex, int numResults) {
return getCalls("", startIndex, numResults); return getCalls(emptyFilter, startIndex, numResults);
} }
/** /**
* Return the number of callLog stored * Return the number of callLog stored
*
* @return int number * @return int number
*/ */
public static int getLogCount() { public static int getLogCount() {
return getLogCount(""); return getLogCount(emptyFilter);
} }
/** /**
*
* Return the number of store callLogs for the given SQLCondition * Return the number of store callLogs for the given SQLCondition
* *
* @param SQLCondition * @param filter call filter
* @return int number * @return int number
*/ */
public static int getLogCount(String SQLCondition) { public static int getLogCount(CallFilter filter) {
int count = 0; int count = 0;
String sql = "SELECT count(*) FROM ofSipPhoneLog"; String sql = "SELECT count(*) FROM ofSipPhoneLog";
sql = SQLCondition != null && !SQLCondition.equals("") ? sql + " WHERE " + SQLCondition sql = filter != null && !filter.getSQL().equals("") ? sql + " WHERE " + filter.getSQL()
: sql; : sql;
Connection con = null; Connection con = null;
PreparedStatement pstmt = null; PreparedStatement pstmt = null;
try { try {
con = DbConnectionManager.getConnection(); con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(sql); pstmt = con.prepareStatement(sql);
ResultSet rs = pstmt.executeQuery();
if (rs.next()) { int i = 1;
count = rs.getInt(1); for (String value : filter.getValues()) {
} pstmt.setString(i++, value);
rs.close(); }
} catch (SQLException e) {
Log.error(e); ResultSet rs = pstmt.executeQuery();
} finally { if (rs.next()) {
try { count = rs.getInt(1);
if (pstmt != null) { }
pstmt.close(); rs.close();
} } catch (SQLException e) {
} catch (Exception e) { Log.error(e);
Log.error(e); } finally {
} try {
try { if (pstmt != null) {
if (con != null) { pstmt.close();
con.close(); }
} } catch (Exception e) {
} catch (Exception e) { Log.error(e);
Log.error(e); }
} try {
} if (con != null) {
return count; con.close();
} }
} catch (Exception e) {
Log.error(e);
}
}
return count;
}
/** /**
* Create a SQLFilter ( SQL Condition ) for CallLog entries * Create a SQLFilter ( SQL Condition ) for CallLog entries
...@@ -238,38 +249,51 @@ public class CallLogDAO { ...@@ -238,38 +249,51 @@ public class CallLogDAO {
* @param uptoDate * @param uptoDate
* @return String * @return String
*/ */
public static String createSQLFilter(String username, String numa, String numb, public static CallFilter createSQLFilter(String username, String numa, String numb,
String callType, Date fromDate, Date uptoDate) { String callType, Date fromDate, Date uptoDate) {
ArrayList<String> conditions = new ArrayList<String>(10); ArrayList<String> conditions = new ArrayList<String>(10);
ArrayList<String> values = new ArrayList<String>(10);
if (username != null && !username.trim().equals(""))
conditions.add(" username = '" + username.trim() + "' "); if (username != null && !username.trim().equals("")) {
conditions.add(" username = ? ");
if (numa != null && !numa.trim().equals("")) values.add(username.trim());
conditions.add(" addressFrom = '" + numa.trim() + "' "); }
if (numb != null && !numb.trim().equals("")) if (numa != null && !numa.trim().equals("")) {
conditions.add(" addressTo = '" + numb.trim() + "' "); conditions.add(" addressFrom = ? ");
values.add(numa.trim());
if (fromDate != null) }
conditions.add(" datetime >= '" + fromDate.getTime() + "' ");
if (numb != null && !numb.trim().equals("")) {
if (uptoDate != null) conditions.add(" addressTo = ? ");
conditions.add(" datetime <= '" + uptoDate.getTime() + "' "); values.add(numb.trim());
}
if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all"))
conditions.add(" calltype = '" + callType.trim() + "' "); if (fromDate != null) {
conditions.add(" datetime >= ? ");
StringBuilder str = new StringBuilder(); values.add(String.valueOf(fromDate.getTime()));
for (String aux : conditions) { }
if (str.length() > 0)
str.append("AND"); if (uptoDate != null) {
str.append(aux); conditions.add(" datetime <= ? ");
} values.add(String.valueOf(uptoDate.getTime()));
}
return str.toString();
} if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all")) {
conditions.add(" calltype = ? ");
values.add(callType.trim());
}
StringBuilder str = new StringBuilder();
for (String aux : conditions) {
if (str.length() > 0)
str.append("AND");
str.append(aux);
}
return new CallFilter(str.toString(), values);
}
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment