4f9c4ff307396871893e3bc7d9f4afc5438bb95d,SecurityShepherdCore/src/servlets/module/challenge/BrokenCrypto4.java,BrokenCrypto4,doPost,#HttpServletRequest#HttpServletResponse#,54
Before Change
out.print(getServletInfo());
String htmlOutput = new String();
String applicationRoot = getServletContext().getRealPath("");
Encoder encoder = ESAPI.encoder();
try
{
//Get and validate cart amounts
int megustaAmount = validateAmount(Integer.parseInt(request.getParameter("megustaAmount")));
log.debug("megustaAmount - " + megustaAmount);
int trollAmount = validateAmount(Integer.parseInt(request.getParameter("trollAmount")));
log.debug("trollAmount - " + trollAmount);
int rageAmount = validateAmount(Integer.parseInt(request.getParameter("rageAmount")));
log.debug("rageAmount - " + rageAmount);
int notBadAmount = validateAmount(Integer.parseInt(request.getParameter("notBadAmount")));
log.debug("notBadAmount - " + notBadAmount);
String couponCode = request.getParameter("couponCode");
log.debug("couponCode - " + couponCode);
//Working out costs
int megustaCost = megustaAmount * 30;
int trollCost = trollAmount * 3000;
int rageCost = rageAmount * 45;
int notBadCost = notBadAmount * 15;
int perCentOffMegusta = 0; // Will search for coupons in DB and update this int
int perCentOffTroll = 0; // Will search for coupons in DB and update this int
int perCentOffRage = 0; // Will search for coupons in DB and update this int
int perCentOffNotBad = 0; // Will search for coupons in DB and update this int
htmlOutput = new String();
Connection conn = Database.getChallengeConnection(applicationRoot, "CryptoChallengeShop");
log.debug("Looking for Coupons");
PreparedStatement prepstmt = conn.prepareStatement("SELECT itemId, perCentOff FROM coupons WHERE couponCode = ?");
prepstmt.setString(1, couponCode);
ResultSet coupons = prepstmt.executeQuery();
try
{
if(coupons.next())
{
if(coupons.getInt(1) == 1) // MeGusta
{
log.debug("Found coupon for %" + coupons.getInt(2) + " off MeGusta");
perCentOffMegusta = coupons.getInt(2);
}
else if (coupons.getInt(1) == 2) // Troll
{
log.debug("Found coupon for %" + coupons.getInt(2) + " off Troll");
perCentOffTroll = coupons.getInt(2);
}
else if (coupons.getInt(1) == 3) // Rage
{
log.debug("Found coupon for %" + coupons.getInt(2) + " off Rage");
perCentOffRage = coupons.getInt(2);
}
else if (coupons.getInt(1) == 4) // NotBad
{
log.debug("Found coupon for %" + coupons.getInt(2) + " off NotBad");
perCentOffNotBad = coupons.getInt(2);
}
}
else
{
log.debug("Invalid Coupon Code");
}
}
catch(Exception e)
{
log.debug("Could Not Find Coupon: " + e.toString());
}
conn.close();
//Work Out Final Cost
megustaCost = megustaCost - (megustaCost * (perCentOffMegusta/100));
rageCost = rageCost - (rageCost * (perCentOffRage/100));
notBadCost = notBadCost - (notBadCost * (perCentOffNotBad/100));
trollCost = trollCost - (trollCost * (perCentOffTroll/100));
int finalCost = megustaCost + rageCost + notBadAmount + trollCost;
//Output Order
htmlOutput = "<h3>Order Complete</h3>"
+ "Your order has been made and has been sent to our magic shipping department that knows where you want this to be delivered via brain wave sniffing techniques.<br/><br/>"
+ "Your order comes to a total of <a><strong>$" + finalCost + "</strong></a>";
if (trollAmount > 0 && trollCost == 0)
{
htmlOutput += "<br><br>Trolls were free, Well Done - <a><b>" + encoder.encodeForHTML(Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName"))) + "</b></a>";
}
}
catch(Exception e)
After Change
+ "<p>" + bundle.getString("insecureCyrptoStorage.4.totalCost") + " <a><strong>$" + finalCost + "</strong></a></p>";
if (trollAmount > 0 && trollCost == 0)
{
htmlOutput += "<p>" + bundle.getString("insecureCyrptoStorage.4.freeTrolls") + " - " + Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName")) + "</p>";
}
}
catch(Exception e)