Commit edcfb96b authored by Thiago Camargo's avatar Thiago Camargo Committed by thiago

[JM-1488] - Using Prepared Statement Values to prevent SQL Injection


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10869 b35dd754-fafc-0310-a699-88a17e54d16e
parent 3e99d975
package org.jivesoftware.openfire.sip.calllog;
import java.util.List;
/**
* Holds filtering information for SIP Call Log Display
*/
public class CallFilter {
private String SQL;
private List<String> values;
public CallFilter(String SQL, List<String> values) {
this.SQL = SQL;
this.values = values;
}
public void setSQL(String SQL) {
this.SQL = SQL;
}
public List<String> getValues() {
return values;
}
public String getSQL() {
return SQL;
}
}
\ No newline at end of file
...@@ -25,29 +25,29 @@ import java.util.Date; ...@@ -25,29 +25,29 @@ import java.util.Date;
import java.util.List; import java.util.List;
/** /**
*
* Database persistence for CallLog class and database methods for call log store * Database persistence for CallLog class and database methods for call log store
* *
* @author Thiago Rocha Camargo * @author Thiago Rocha Camargo
*/ */
public class CallLogDAO { public class CallLogDAO {
final static CallFilter emptyFilter = new CallFilter("", new ArrayList<String>());
/** /**
*
* Return every stored calls that matches to the SQLCondition in the interval between startIndex and endIndex * Return every stored calls that matches to the SQLCondition in the interval between startIndex and endIndex
* *
* @param SQLCondition the content of a SQL "Where" clause. * @param filter the content of a SQL "Where" clause.
* @param startIndex * @param startIndex start index of results
* @param numResults * @param numResults number of resultes to return
* @return Collection<CallLog>; * @return Collection<CallLog>;
*/ */
public static Collection<CallLog> getCalls(String SQLCondition, public static Collection<CallLog> getCalls(CallFilter filter,
int startIndex, int numResults) { int startIndex, int numResults) {
String sql = "SELECT * FROM ofSipPhoneLog"; String sql = "SELECT * FROM ofSipPhoneLog";
sql = SQLCondition != null && !SQLCondition.equals("") ? sql sql = filter != null && !filter.getSQL().equals("") ? sql
+ " WHERE " + SQLCondition : sql; + " WHERE " + filter.getSQL() : sql;
sql += " ORDER BY datetime DESC"; sql += " ORDER BY datetime DESC";
...@@ -58,6 +58,12 @@ public class CallLogDAO { ...@@ -58,6 +58,12 @@ public class CallLogDAO {
con = DbConnectionManager.getConnection(); con = DbConnectionManager.getConnection();
pstmt = DbConnectionManager.createScrollablePreparedStatement(con, pstmt = DbConnectionManager.createScrollablePreparedStatement(con,
sql); sql);
int i = 1;
for (String value : filter.getValues()) {
pstmt.setString(i++, value);
}
ResultSet rs = pstmt.executeQuery(); ResultSet rs = pstmt.executeQuery();
DbConnectionManager.setFetchSize(rs, startIndex + numResults); DbConnectionManager.setFetchSize(rs, startIndex + numResults);
DbConnectionManager.scrollResultSet(rs, startIndex); DbConnectionManager.scrollResultSet(rs, startIndex);
...@@ -90,7 +96,6 @@ public class CallLogDAO { ...@@ -90,7 +96,6 @@ public class CallLogDAO {
/** /**
*
* Read a callLog result set and return a CallLog instance with the information of the resultSet * Read a callLog result set and return a CallLog instance with the information of the resultSet
* *
* @param rs ResultSet * @param rs ResultSet
...@@ -127,10 +132,9 @@ public class CallLogDAO { ...@@ -127,10 +132,9 @@ public class CallLogDAO {
} }
/** /**
*
* Insert a new CallLog into the database * Insert a new CallLog into the database
* *
* @param callLog * @param callLog call logging
* @throws SQLException * @throws SQLException
*/ */
public static void insert(CallLog callLog) throws SQLException { public static void insert(CallLog callLog) throws SQLException {
...@@ -165,35 +169,36 @@ public class CallLogDAO { ...@@ -165,35 +169,36 @@ public class CallLogDAO {
/** /**
* Gets all calls in database for the given range * Gets all calls in database for the given range
*
* @param startIndex * @param startIndex
* @param numResults * @param numResults
* @return Collection<CallLog> * @return Collection<CallLog>
*/ */
public static Collection<CallLog> getCalls(int startIndex, int numResults) { public static Collection<CallLog> getCalls(int startIndex, int numResults) {
return getCalls("", startIndex, numResults); return getCalls(emptyFilter, startIndex, numResults);
} }
/** /**
* Return the number of callLog stored * Return the number of callLog stored
*
* @return int number * @return int number
*/ */
public static int getLogCount() { public static int getLogCount() {
return getLogCount(""); return getLogCount(emptyFilter);
} }
/** /**
*
* Return the number of store callLogs for the given SQLCondition * Return the number of store callLogs for the given SQLCondition
* *
* @param SQLCondition * @param filter call filter
* @return int number * @return int number
*/ */
public static int getLogCount(String SQLCondition) { public static int getLogCount(CallFilter filter) {
int count = 0; int count = 0;
String sql = "SELECT count(*) FROM ofSipPhoneLog"; String sql = "SELECT count(*) FROM ofSipPhoneLog";
sql = SQLCondition != null && !SQLCondition.equals("") ? sql + " WHERE " + SQLCondition sql = filter != null && !filter.getSQL().equals("") ? sql + " WHERE " + filter.getSQL()
: sql; : sql;
Connection con = null; Connection con = null;
...@@ -201,6 +206,12 @@ public class CallLogDAO { ...@@ -201,6 +206,12 @@ public class CallLogDAO {
try { try {
con = DbConnectionManager.getConnection(); con = DbConnectionManager.getConnection();
pstmt = con.prepareStatement(sql); pstmt = con.prepareStatement(sql);
int i = 1;
for (String value : filter.getValues()) {
pstmt.setString(i++, value);
}
ResultSet rs = pstmt.executeQuery(); ResultSet rs = pstmt.executeQuery();
if (rs.next()) { if (rs.next()) {
count = rs.getInt(1); count = rs.getInt(1);
...@@ -238,28 +249,41 @@ public class CallLogDAO { ...@@ -238,28 +249,41 @@ public class CallLogDAO {
* @param uptoDate * @param uptoDate
* @return String * @return String
*/ */
public static String createSQLFilter(String username, String numa, String numb, public static CallFilter createSQLFilter(String username, String numa, String numb,
String callType, Date fromDate, Date uptoDate) { String callType, Date fromDate, Date uptoDate) {
ArrayList<String> conditions = new ArrayList<String>(10); ArrayList<String> conditions = new ArrayList<String>(10);
ArrayList<String> values = new ArrayList<String>(10);
if (username != null && !username.trim().equals("")) if (username != null && !username.trim().equals("")) {
conditions.add(" username = '" + username.trim() + "' "); conditions.add(" username = ? ");
values.add(username.trim());
}
if (numa != null && !numa.trim().equals("")) if (numa != null && !numa.trim().equals("")) {
conditions.add(" addressFrom = '" + numa.trim() + "' "); conditions.add(" addressFrom = ? ");
values.add(numa.trim());
}
if (numb != null && !numb.trim().equals("")) if (numb != null && !numb.trim().equals("")) {
conditions.add(" addressTo = '" + numb.trim() + "' "); conditions.add(" addressTo = ? ");
values.add(numb.trim());
}
if (fromDate != null) if (fromDate != null) {
conditions.add(" datetime >= '" + fromDate.getTime() + "' "); conditions.add(" datetime >= ? ");
values.add(String.valueOf(fromDate.getTime()));
}
if (uptoDate != null) if (uptoDate != null) {
conditions.add(" datetime <= '" + uptoDate.getTime() + "' "); conditions.add(" datetime <= ? ");
values.add(String.valueOf(uptoDate.getTime()));
}
if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all")) if (callType != null && !callType.trim().equals("") && !callType.trim().equals("all")) {
conditions.add(" calltype = '" + callType.trim() + "' "); conditions.add(" calltype = ? ");
values.add(callType.trim());
}
StringBuilder str = new StringBuilder(); StringBuilder str = new StringBuilder();
for (String aux : conditions) { for (String aux : conditions) {
...@@ -268,7 +292,7 @@ public class CallLogDAO { ...@@ -268,7 +292,7 @@ public class CallLogDAO {
str.append(aux); str.append(aux);
} }
return str.toString(); return new CallFilter(str.toString(), values);
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment