1caf771e5da55c303e76140b7fad6dfaff05bf1c,sql-injection/src/main/java/de/dominikschadow/javasecurity/servlets/StatementEscapingServlet.java,StatementEscapingServlet,doPost,#HttpServletRequest#HttpServletResponse#,52
Before Change
try (Statement stmt = ConnectionListener.con.createStatement(); ResultSet rs = stmt.executeQuery(query)) {
while (rs.next()) {
Customer customer = new Customer();
customer.setCustId(rs.getInt(1));
customer.setName(rs.getString(2));
customer.setStatus(rs.getString(3));
customer.setOrderLimit(rs.getInt(4));
customers.add(customer);
}
} catch (SQLException ex) {
LOGGER.error(ex.getMessage(), ex);
}
response.setContentType("text/html");
try (PrintWriter out = response.getWriter()) {
out.println("<html><head>");
out.println("<title>SQL Injection - Statement with Escaping</title>");
out.println("<link rel=\"stylesheet\" type=\"text/css\" href=\"resources/css/styles.css\" />");
out.println("</head>");
out.println("<body>");
out.println("<h1>SQL Injection - Statement with Escaping</h1>");
out.println("<p><strong>Input</strong> " + name + "</p>");
out.println("<h2>Customer Data</h2>");
out.println("<table>");
out.println("<tr>");
out.println("<th>ID</th>");
out.println("<th>Name</th>");
out.println("<th>Status</th>");
out.println("<th>Order Limit</th>");
out.println("</tr>");
for (Customer customer : customers) {
out.println("<tr>");
out.println("<td>" + customer.getCustId() + "</td>");
out.println("<td>" + customer.getName() + "</td>");
out.println("<td>" + customer.getStatus() + "</td>");
out.println("<td>" + customer.getOrderLimit() + "</td>");
out.println("</tr>");
}
After Change
out.println("<th>Order Limit</th>");
out.println("</tr>");
while (rs.next()) {
out.println("<tr>");
out.println("<td>" + rs.getInt(1) + "</td>");
out.println("<td>" + rs.getString(2) + "</td>");
out.println("<td>" + rs.getString(3) + "</td>");
out.println("<td>" + rs.getInt(4) + "</td>");
out.println("</tr>");
}