From 4bfe43c8a36d83f3e8a3f79cb55518f2fcee5ec4 Mon Sep 17 00:00:00 2001
From: "pixee-standardchartered[bot]"
 <192133916+pixee-standardchartered[bot]@users.noreply.github.com>
Date: Sun, 27 Jul 2025 03:01:27 +0000
Subject: [PATCH] Refactored to use parameterized SQL APIs

---
 src/main/java/com/acme/search/FederalConnection.java | 8 +++++---
 src/main/java/com/acme/sql/SQLInjectionVuln.java     | 6 ++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/acme/search/FederalConnection.java b/src/main/java/com/acme/search/FederalConnection.java
index a9bba19..14c6543 100644
--- a/src/main/java/com/acme/search/FederalConnection.java
+++ b/src/main/java/com/acme/search/FederalConnection.java
@@ -1,5 +1,6 @@
 package com.acme.search;
 
+import java.sql.PreparedStatement;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -21,9 +22,10 @@ String doSearch(final String searchTerm) throws SQLException {
         // connect to the federal database
         Connection conn = fedConnectionLoader.getConnection();
         // search the forecasts table for entries with the given query
-        String query = "SELECT * FROM forecasts WHERE entry_desc LIKE '%" + searchTerm + "%'";
-        Statement stmt = conn.createStatement();
-        ResultSet rs = stmt.executeQuery(query);
+        String query = "SELECT * FROM forecasts WHERE entry_desc LIKE ?";
+        PreparedStatement stmt = conn.prepareStatement(query);
+        stmt.setString(1, "%" + searchTerm + "%");
+        ResultSet rs = stmt.executeQuery();
         List<String> ids = new ArrayList<>();
         while(rs.next()) {
             String id = rs.getString("entry_id");
diff --git a/src/main/java/com/acme/sql/SQLInjectionVuln.java b/src/main/java/com/acme/sql/SQLInjectionVuln.java
index 2175f34..ddd0c34 100644
--- a/src/main/java/com/acme/sql/SQLInjectionVuln.java
+++ b/src/main/java/com/acme/sql/SQLInjectionVuln.java
@@ -5,6 +5,7 @@
 import jakarta.ws.rs.QueryParam;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 import java.sql.Statement;
 
@@ -12,8 +13,9 @@
 public class SQLInjectionVuln {
     @GET
     public String lookupResource(Connection connection, @QueryParam("resource") final String resource) throws SQLException {
-        Statement statement = connection.createStatement();
-        statement.executeQuery("select * from users where name = '" + resource + "'");
+        PreparedStatement statement = connection.prepareStatement("select * from users where name = ?");
+        statement.setString(1, resource);
+        statement.executeQuery();
         return "ok";
     }
 }