Read the code snippet in the file “Java” and look for improvement in view of “pr

Question

Read the code snippet in the file “Java” and look for improvement in view of “principles and concepts of secure software”. Using Notepad / any other code editor rewrite code for security improvement. Submit modified code/logic and explanation in a word file.

Below is the JAVA Code

package com.dcx.ps.dcppcp.bm.dao;

import java.sql.Connection;

import java.sql.SQLException;

import java.sql.Statement;

import com.dcx.restricted.ps.dcppcp.DBConnectionManager;

import com.dcx.ps.dcppcp.exception.ApplicationException;

/**

* @author: Jason Grembi

* Read this class and identify all security Vulnerabilities that are

wrong

**/

public class SecurityCheck1 {

private static final String CLASS = "SecurityCheck1";

/** A Dcppcp constant that controlls messge output */

private final static boolean DEBUG = true;

/** A variable for maintaining a single reference for an error msg

*/

private static String errorMsg;

/** A variable for maintaining a single reference for keys */

private static String keys;

/**

* This method writes debug statements when the constant is true.

*/

public static void debug(String s) {

if (DEBUG) {

System.out.println(s);

}

}

/**

* This method writes debug statements and prints a stacktrace.

*/

private static void debug(String message,Exception e) {

if (DEBUG) {

System.out.println(message);

e.printStackTrace();

}

}

private static void updateSecureData(double salary, String userId)

throws ApplicationException {

final String METHOD = "updateSecureData()";

debug(CLASS + "." + METHOD + "==>Begin");

DBConnectionManager dbConnMgr = null;

Connection conn = null;

try {

// Get Connection from DBConnectionManager.

dbConnMgr = DBConnectionManager.getInstance();

conn = dbConnMgr.getConnection();

// Get a statement from the connection

Statement stmt = conn.createStatement() ;

// Execute the Update

int rows = stmt.executeUpdate( "UPDATE Emp

SET Q_SALEMP_NO = '"+salary+"' WHERE EMP_ID = '"+userId+"'");

// Print how many rows were modified

System.out.println( rows + " Rows

modified" ) ;

// Close the statement and the connection

stmt.close() ;

conn.close() ;

} catch( SQLException se ) {

} catch( Exception e ) {

}

}

}

Explanation / Answer

ANSWER:

1) Remove static and private access modifier for the method updateSecureData(). And add public access modifier to the above method. Because private methods can't be accesable from other class.

2) Declare all the connection objects above the method, access modifier private and initialize as null.

3) Close the connections always in finally block. If exception occurs connections can't be closed.

4) User have know given data updated or not. For that add return type to updateSecureData() method.

5) If you get any exceptions while updating data, throw the exceptions. So that main class catch that exception.

6) For the best practice use PreparedStatement instead of Statement for insert and update query.

import java.sql.Connection;

import java.sql.PreparedStatement;

import java.sql.SQLException;

import java.sql.Statement;

import com.dcx.restricted.ps.dcppcp.DBConnectionManager;

import com.dcx.ps.dcppcp.exception.ApplicationException;

/**

* @author: Jason Grembi Read this class and identify all security

* Vulnerabilities that are wrong

**/

public class SecurityCheck1 {

private DBConnectionManager dbConnMgr = null;

private Connection conn = null;

private Statement stmt = null;

private PreparedStatement pst=null;

private static final String CLASS = "SecurityCheck1";

/** A Dcppcp constant that controlls messge output */

private final static boolean DEBUG = true;

/** A variable for maintaining a single reference for an error msg */

private static String errorMsg;

/** A variable for maintaining a single reference for keys */

private static String keys;

/** * This method writes debug statements when the constant is true.*/

public static void debug(String s) {

if (DEBUG) {

System.out.println(s);

}

}

/*** This method writes debug statements and prints a stacktrace.*/

private static void debug(String message, Exception e) {

if (DEBUG) {

System.out.println(message);

e.printStackTrace();

}

}

public int updateSecureData(double salary, String userId) throws ApplicationException {

final String METHOD = "updateSecureData()";

debug(CLASS + "." + METHOD + "==>Begin");

final String sqlUpdate = "UPDATE Emp SET Q_SALEMP_NO = ? WHERE EMP_ID = ?";

int rows;

try {

// Get Connection from DBConnectionManager.

dbConnMgr = DBConnectionManager.getInstance();

conn = dbConnMgr.getConnection();

if(conn != null) {

// Get a PreparedStatement from the connection

pst = conn.prepareStatement(sqlUpdate);

// Set all values what to update

pst.setDouble(1, salary);

pst.setString(2, userId);

// Execute the Update

rows = pst.executeUpdate();

// Print how many rows were modified

System.out.println( rows + " Rows modified" ) ;

}

return rows;

}

catch( SQLException se ) {

throw new ApplicationException(se.getMessage());

}

catch( Exception e ) {

throw new ApplicationException(e.getMessage());

}

finally {

// Close the statement and the connection

if (pst != null) {

pst.close();

}

if (stmt != null) {

stmt.close();

}

if (conn != null) {

conn.close();

}

}

}

}

Let me know any concerns. Thank you.

Related Questions

Navigate

• Browse (All)
• Browse R
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.