JdoSql.java

package testcode.sqli;

import javax.jdo.Extent;
import javax.jdo.JDOHelper;
import javax.jdo.PersistenceManager;
import javax.jdo.PersistenceManagerFactory;
import java.util.ArrayList;

public class JdoSql {

    private static final PersistenceManagerFactory pmfInstance =
            JDOHelper.getPersistenceManagerFactory("transactions-optional");


    public static PersistenceManager getPM() {
        return pmfInstance.getPersistenceManager();
    }

    public void testJdoQueries(String input) {
        PersistenceManager pm = getPM();

        pm.newQuery("select * from Users where name = " + input);

        pm.newQuery("sql", "select * from Products where name = " + input);

        //Test for false positive

        pm.newQuery("select * from Config");

        final String query = "select * from Config";
        pm.newQuery(query);

        pm.newQuery("sql", query);
    }

    public void testJdoQueriesAdditionalMethodSig(String input) {
        PersistenceManager pm = getPM();

        pm.newQuery(UserEntity.class,new ArrayList(),"id == "+ input); //Injection?

        pm.newQuery(UserEntity.class,new ArrayList(),"id == 1");

        pm.newQuery(UserEntity.class,"id == "+ input); //Injection?

        pm.newQuery(UserEntity.class,"id == 1");

        pm.newQuery((Extent) null,"id == "+input); //Injection?

        pm.newQuery((Extent) null,"id == 1");

    }

}