import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.GregorianCalendar;
import java.util.Map;
import java.util.Map.Entry;
abstract class A extends UnknownClassFromSamePackage {
abstract PreparedStatement getPreparedStatement();
abstract PreparedStatement getPreparedStatement(String s);
abstract int getIntValue();
abstract String getQuery();
void foo(Connection connection) throws SQLException {
PreparedStatement ps = connection.prepareStatement("SELECT fname, lname FROM employees where hireDate > ? and salary < ?");
ps.setDate(0, new Date(0)); // Noncompliant [[sc=16;ec=17]] {{PreparedStatement indices start at 1.}}
ps.setDouble(3, 0.0); // Noncompliant [[sc=18;ec=19]] {{This "PreparedStatement" only has 2 parameters.}}
ps.setString(getIntValue(), ""); // Compliant - first argument can not be evaluated
ps.setInt(1, 0); // Compliant
ResultSet rs = ps.executeQuery();
rs.getString(0); // Noncompliant {{ResultSet indices start at 1.}}
rs.getDate(0, new GregorianCalendar()); // Noncompliant {{ResultSet indices start at 1.}}
rs.getString(1); // Compliant
}
void bar(Connection connection) throws SQLException {
PreparedStatement ps = connection.prepareStatement("SELECT fname, lname FROM employees where hireDate > 1986");
ps.setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
ps.setDouble(3, 0.0); // Noncompliant [[sc=18;ec=19]] {{This "PreparedStatement" has no parameters.}}
}
void dam(Connection connection, String query) throws SQLException {
PreparedStatement ps = connection.prepareStatement(query);
ps.setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
ps.setDouble(3, 0.0); // Compliant - Query of the preparedStatement is unknown
}
void cro(PreparedStatement ps) throws SQLException {
ps.setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
ps.setDouble(3, 0.0); // Compliant - Query of the preparedStatement is unknown
}
void elk() throws SQLException {
getPreparedStatement().setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
getPreparedStatement().setDouble(3, 0.0); // Compliant - Query of the preparedStatement is unknown
}
void gra() throws SQLException {
PreparedStatement ps = getPreparedStatement();
ps.setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
ps.setDouble(3, 0.0); // Compliant - Query of the preparedStatement is unknown
PreparedStatement ps2 = ps;
ps2.setDate(0, new Date(0)); // Noncompliant {{PreparedStatement indices start at 1.}}
ps2.setDouble(3, 0.0); // Compliant - Query of the preparedStatement is unknown
}
void hio(boolean test) throws SQLException {
PreparedStatement ps = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > 1986");
if (test) {
ps = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > ? and salary < ?");
ps.setDouble(1, 0.0); // Compliant - last assignment is used
ps.setDouble(2, 0.0); // Compliant
}
ps = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > 1986");
PreparedStatement ps2 = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > ? and salary < ?");
ps2.setDouble(1, 0.0); // Compliant
int a;
a = 2;
int[] b = new int[1];
b[0] = 3;
}
void unknownQuery() throws SQLException {
PreparedStatement ps = getPreparedStatement(UNKNOWN_QUERY_FROM_UNKNOWN_PARENT); // Compliant
ps.setDouble(2, 0.0);
}
void false_negative(boolean test) throws SQLException {
PreparedStatement ps;
if (test) {
ps = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > ?");
} else {
ps = getPreparedStatement("SELECT fname, lname FROM employees where hireDate > ? and salary < ?");
}
ps.setDouble(1, 0.0); // Compliant - last assignment is used
ps.setDouble(2, 0.0); // Compliant FALSE NEGATIVE - in then would have been applied, there would be no 2nd parameter (CFG?)
}
public void reproducer(Connection connection) throws SQLException {
String selectClause = ";";
selectClause = "SELECT anything FROM somewhere "
+ selectClause;
PreparedStatement statement = connection.prepareStatement(selectClause);
statement.setString(1, "anything"); // Noncompliant {{This "PreparedStatement" has no parameters.}}
}
public void updateCoffeeSales(HashMap<String, Integer> salesForWeek, Connection con, String param) throws SQLException {
String dbName = "doug";
PreparedStatement updateSales = null;
PreparedStatement updateTotal = null;
PreparedStatement other = null;
String updateString = "update " + dbName + ".COFFEES set SALES = ?";
String updateStatement =
"update " + dbName + ".COFFEES " +
"set TOTAL = TOTAL + ? " +
"where COF_NAME = ?";
try {
PreparedStatement ps = con.prepareStatement(updateStatement);
ps.setInt(1, 1); // Compliant
ps.setString(3, "three"); // Noncompliant
ps.setString(72, "boom"); // Noncompliant
ps = con.prepareStatement(updateStatement);
ps.setInt(1, 2); // Compliant
ps.setString(2, "three"); // Compliant
updateSales = con.prepareStatement(updateString);
updateTotal = con.prepareStatement(updateStatement);
other = con.prepareStatement("update " + dbName + ".COFFEES set SALES = ?");
for (Map.Entry<String, Integer> e : salesForWeek.entrySet()) {
updateSales.setInt(1, e.getValue().intValue()); // Compliant
updateSales.setString(2, e.getKey()); // Noncompliant
updateTotal.setInt(1, e.getValue().intValue()); // Compliant
updateTotal.setString(2, e.getKey()); // Compliant
other.setInt(2, getIntValue()); // Noncompliant
}
updateString = "update " + param + ".COFFEES set SALES = ?";
PreparedStatement testParam = con.prepareStatement(updateString);
testParam.setInt(3, 0); // Noncompliant
testParam = con.prepareStatement(param + " update");
testParam.setInt(3, 0); // Noncompliant
testParam = con.prepareStatement(param + param);
testParam.setInt(3, 0); // Compliant
String[] array = new String[]{""};
PreparedStatement qix = con.prepareStatement(array[0]);
qix.setString(3, ""); // Compliant
} catch(SQLException e) {
}
}
public class Example {
private final String REQUETE_SELECT_RESA_RESEAU = "SELECT COLUMN1 FROM TABLE";
private final String CLAUSE_ETAT = " WHERE COLUMN2 = ?";
public Example() {
}
public synchronized void method1() {
String req= REQUETE_SELECT_RESA_RESEAU;
req = req + CLAUSE_ETAT; //StackOverflowError
PreparedStatement pstmt= m_con.prepareStatement(req);
pstmt.setInt(1,10);
ResultSet rs=pstmt.executeQuery();
}
}
}