Code with Finding: |
class DatabaseAdmin { public static int changePassword(Connection conn, String username, String pwdStore) { int status = -1; String fetchAnswer = "SELECT secanswer FROM main.users WHERE username = ?"; String query = "UPDATE main.users SET pwhash = ?, checksum = ? WHERE username = ?"; PreparedStatement answerStmt = null; ResultSet rs = null; PreparedStatement pstmt = null; try { answerStmt = conn.prepareStatement(fetchAnswer); answerStmt.setString(1, username); rs = answerStmt.executeQuery(); if (rs.next()) { String secA = SharedKeyCrypto.decrypt(rs.getString("secanswer")); //recalculate the new hash to update this user's entry //create checksum to add as 5th element byte[] userBytes = username.getBytes("UTF8"); byte[] pwBytes = pwdStore.getBytes("UTF8"); byte[] ansBytes = secA.getBytes("UTF8"); byte[] toChecksum = new byte[userBytes.length + pwBytes.length + ansBytes.length]; System.arraycopy(userBytes, 0, toChecksum, 0, userBytes.length); System.arraycopy(pwBytes, 0, toChecksum, userBytes.length, pwBytes.length); System.arraycopy(ansBytes, 0, toChecksum, pwBytes.length + userBytes.length, ansBytes.length); pstmt = conn.prepareStatement(query); pstmt.setString(1, SharedKeyCrypto.encrypt(pwdStore)); pstmt.setString(2, CryptoUtil.encode(Hash.generateChecksum(toChecksum))); pstmt.setString(3, username); status = pstmt.executeUpdate(); } else { //this cannot happen, checked before function is entered } } catch (SQLException e) { status = -1; } catch (UnsupportedEncodingException e) { //cannot happen } finally { DBManager.closeResultSet(rs); DBManager.closeStatement(answerStmt); DBManager.closePreparedStatement(pstmt); } return status; }
}
class DatabaseAdmin { /** * Retrieves a list of all users of a group given the group's aid. Returns null * if error. * @param conn * @param aid * @return */ public static List<String> getAllUsersOfGroup(Connection conn, int aid) { List<String> users = new ArrayList<String>(); String query = "SELECT username FROM main.users WHERE aid = ?"; PreparedStatement pstmt = null; ResultSet result = null; try { pstmt = conn.prepareStatement(query); pstmt.setInt(1, aid); result = pstmt.executeQuery(); while (result.next()) { users.add(result.getString("username")); } if (users.size() == 0) { users = null; } } catch (SQLException e) { if (DEBUG) e.printStackTrace(); users = null; } finally { DBManager.closeResultSet(result); DBManager.closePreparedStatement(pstmt); } return users; }
}
class DatabaseAdmin { /** * Precondition: user is an admin. If user is an SA, nothing is done and returns -1. * @param conn * @param username * @return */ public static int replaceBoardManager(Connection conn, String username) { int status = -1; Connection tempConn = DBManager.getConnection(); String sa = saOfUsersGroup(tempConn, username); DBManager.closeConnection(tempConn); if (sa == null || sa.equals(username)) { if (DEBUG) { System.err.printf("sa = %s, username = %s\n", sa, username); } return status; } String query = "UPDATE main.boards SET managedby = ? WHERE managedby = ?"; PreparedStatement pstmt = null; try { pstmt = conn.prepareStatement(query); pstmt.setString(1, sa); pstmt.setString(2, username); status = pstmt.executeUpdate(); if (DEBUG) System.err.printf("status = %d\n", status); } catch (SQLException e) { if (DEBUG) { System.err.println("failing cuz SQLException"); e.printStackTrace(); } status = -1; } return status; }
}
|