WebGoat.rar

package org.owasp.webgoat.session; import java.sql.Connection; import java.sql.SQLException; import java.sql.Statement; import org.owasp.webgoat.lessons.AbstractLesson; /*************************************************************************************************** * * * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ * * Copyright (c) 2002 - 20014 Bruce Mayhew * * This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * * Getting Source ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. * * For details, please see http://webgoat.github.io * * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> */ public class CreateDB { /** * Description of the Method * * @param connection * Description of the Parameter * * @exception SQLException * Description of the Exception */ private void createMessageTable(Connection connection) throws SQLException { Statement statement = connection.createStatement(); // Drop admin user table try { String dropTable = "DROP TABLE messages"; statement.executeUpdate(dropTable); } catch (SQLException e) { System.out.println("Info - Could not drop message database"); } // Create the new table try { String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { System.out.println("Error creating message database " + e.getLocalizedMessage()); } } /** * Description of the Method * * @param connection Description of the Parameter * * @exception SQLException Description of the Exception */ private void createMFEImagesTable(Connection connection) throws SQLException { Statement statement = connection.createStatement(); // Drop mfe_images table try { String dropTable = "DROP TABLE mfe_images"; statement.executeUpdate(dropTable); } catch (SQLException e) { System.out.println("Info - Could not drop mfe_images table from database"); } // Create the new mfe_images table try { String createTableStatement = "CREATE TABLE mfe_images (" + "user_name varchar(50) not null, " + "image_relative_url varchar(50) not null" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); } } /** * Description of the Method * * @param connection * Description of the Parameter * * @exception SQLException * Description of the Exception */ private void createProductTable(Connection connection) throws SQLException { Statement statement = connection.createStatement(); // Drop admin user table try { String dropTable = "DROP TABLE product_system_data"; statement.executeUpdate(dropTable); } catch (SQLException e) { System.out.println("Info - Could not drop product table"); } // Create the new table try { String createTableStatement = "CREATE TABLE product_system_data (" + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { System.out.println("Error creating product table " + e.getLocalizedMessage()); } // Populate String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; statement.executeUpdate(insertData1); statement.executeUpdate(insertData2); statement.executeUpdate(insertData3); statement.executeUpdate(insertData4); statement.executeUpdate(insertData5); } /** * Description of the Method * * @param connection * Description of the Parameter * * @exception SQLException * Description of the Exception */ private void createUserAdminTable(Connection connection) throws SQLException { Statement statement = connection.createStatement(); // Drop admin user table try { String dropTable = "DROP TABLE user_system_data"; statement.executeUpdate(dropTable); } catch (SQLException e) { System.out.println("Info - Could not drop user admin table"); } // Create the new table try { String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { System.out.println("Error creating user admin table " + e.getLocalizedMessage()); } // Populate String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; statement.executeUpdate(insertData1); statement.executeUpdate(insertData2); statement.executeUpdate(insertData3); statement.executeUpdate(insertData4); statement.executeUpdate(insertData5); } /** * Description of the Method * * @param connection * Description of the Parameter * * @exception SQLException * Description of the Exception */ private void createUserDataTable(Connection connection) throws SQLException { Statement statement = connection.createStatement(); // Delete table if there is one try { String dropTable = "DROP TABLE user_data"; statement.executeUpdate(dropTable); } catch (SQLException e) { System.out.println("Info - Could not drop user table"); } // Create the new table try { String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { System.out.println("Error creating user table " + e