From 7a563bf0e7dbad9babf8547b1f53d65e09e07c3d Mon Sep 17 00:00:00 2001
From: louispCx <99268939+louispcx@users.noreply.github.com>
Date: Thu, 21 Dec 2023 10:21:07 +0900
Subject: [PATCH] resolved sqli

---
 .idea/misc.xml |  1 +
 Login.java     | 15 +++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.idea/misc.xml b/.idea/misc.xml
index b73630f..d5cd614 100644
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@@ -8,4 +8,5 @@
       </list>
     </option>
   </component>
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" default="true" project-jdk-name="1.8" project-jdk-type="JavaSDK" />
 </project>
\ No newline at end of file
diff --git a/Login.java b/Login.java
index c4c57c5..f5c9fe8 100644
--- a/Login.java
+++ b/Login.java
@@ -23,17 +23,20 @@ public static void main(String[] args)
             String token = request.getParameter("password");
 
 
-            String sql = "select * from users where (email ='" + email +"' and password ='" + token + "')";
-
+            //String sql = "select * from users where (email ='" + email +"' and password ='" + token + "')";
+            String sql = "select * from users where (email =? and password =?)";
+            
             Connection connection = pool.getConnection();
-            Statement statement = connection.createStatement();
-
+            //Statement statement = connection.createStatement();
+            PreparedStatement statement = connection.preparedStatement(sql);
+            statement.setString(1, email);
+            statement.setString(2, token);
 
             HttpSession session = request.getSession();
             String role = (String)session.getAttribute("role");
             if (role.equals(ADMIN)) {
-                ResultSet result = statement.executeQuery(sql);
-
+                //ResultSet result = statement.executeQuery(sql);
+                ResultSet result = statement.executeQuery();
                 statement.close();
                 connection.close();
             }