Add Sybase database support for SQL Injection

src/main/java/com/waratek/spiracle/init/SpiracleInit.java

@@ -46,6 +46,8 @@ public void contextDestroyed(ServletContextEvent arg0) {
         ((ComboPooledDataSource) application.getAttribute(Constants.ORACLE_CONNECTION_POOL)).close();
         ((ComboPooledDataSource) application.getAttribute(Constants.MYSQL_CONNECTION_POOL)).close();
         ((ComboPooledDataSource) application.getAttribute(Constants.MSSQL_CONNECTION_POOL)).close();
+        ((ComboPooledDataSource) application.getAttribute(Constants.DB2_CONNECTION_POOL)).close();
+        ((ComboPooledDataSource) application.getAttribute(Constants.SYBASE_CONNECTION_POOL)).close();
     }
 
     @Override
@@ -68,13 +70,17 @@ public void contextInitialized(ServletContextEvent arg0) {
         ComboPooledDataSource db2SqlDs = getConnectionPool(props, Constants.DB2);
         setNamedConnectionPool(application, db2SqlDs, Constants.DB2_CONNECTION_POOL, Constants.DB2_CONNECTION_DATA);
 
+        ComboPooledDataSource sybaseSqlDs = getConnectionPool(props, Constants.SYBASE);
+        setNamedConnectionPool(application, sybaseSqlDs, Constants.SYBASE_CONNECTION_POOL, Constants.SYBASE_CONNECTION_DATA);
+
         setDefaultConnection(application, props);
         setFetchSize(application, props);
         try {
             Class.forName(props.getProperty(Constants.C3P0_ORACLE_CLASSNAME));
             Class.forName(props.getProperty(Constants.C3P0_MYSQL_CLASSNAME));
             Class.forName(props.getProperty(Constants.C3P0_MSSQL_CLASSNAME));
             Class.forName(props.getProperty(Constants.C3P0_DB2_CLASSNAME));
+            Class.forName(props.getProperty(Constants.C3P0_SYBASE_CLASSNAME));
         } catch (ClassNotFoundException e) {
             logger.error("Unable to load JDBC connector classes from config.");
             e.printStackTrace();

src/main/java/com/waratek/spiracle/sql/servlet/sybase/Sybase_Get_Implicit_Join.java

@@ -0,0 +1,82 @@
+/*
+ *  Copyright 2017 Waratek Ltd.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package com.waratek.spiracle.sql.servlet.sybase;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.waratek.spiracle.sql.servlet.util.ParameterNullFix;
+import com.waratek.spiracle.sql.util.SelectUtil;
+
+/**
+ * Servlet implementation class Get_Inner_Join
+ */
+@WebServlet("/Sybase_Get_Implicit_Join")
+public class Sybase_Get_Implicit_Join extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * @see HttpServlet#HttpServlet()
+     */
+    public Sybase_Get_Implicit_Join() {
+        super();
+        // TODO Auto-generated constructor stub
+    }
+
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    private void executeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        ServletContext application = this.getServletConfig().getServletContext();
+        List<String> queryStringList = new ArrayList<String>();
+        queryStringList.add("id");
+
+        Map<String, String> nullSanitizedMap = ParameterNullFix.sanitizeNull(queryStringList, request);
+
+        String id = nullSanitizedMap.get("id");
+
+        String sql = "SELECT * FROM users, address WHERE users.id = " + id + " AND users.id = address.id";
+
+        Boolean showErrors = true;
+        Boolean allResults = true;
+        Boolean showOutput = true;
+
+        SelectUtil.executeQuery(sql, application, request, response, showErrors, allResults, showOutput);
+    }
+
+}

src/main/java/com/waratek/spiracle/sql/servlet/sybase/Sybase_Get_Union.java

@@ -0,0 +1,82 @@
+/*
+ *  Copyright 2017 Waratek Ltd.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package com.waratek.spiracle.sql.servlet.sybase;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.waratek.spiracle.sql.servlet.util.ParameterNullFix;
+import com.waratek.spiracle.sql.util.SelectUtil;
+
+/**
+ * Servlet implementation class Get_Union
+ */
+@WebServlet("/Sybase_Get_Union")
+public class Sybase_Get_Union extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * @see HttpServlet#HttpServlet()
+     */
+    public Sybase_Get_Union() {
+        super();
+        // TODO Auto-generated constructor stub
+    }
+
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    private void executeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        ServletContext application = this.getServletConfig().getServletContext();
+        List<String> queryStringList = new ArrayList<String>();
+        queryStringList.add("id");
+
+        Map<String, String> nullSanitizedMap = ParameterNullFix.sanitizeNull(queryStringList, request);
+
+        String id = nullSanitizedMap.get("id");
+
+        String sql = "SELECT name, surname, CONVERT(varchar(500),dob,3)  FROM users WHERE id = " + id + " UNION SELECT address_1, address_2, address_3 FROM address WHERE id = " + id;
+
+        Boolean showErrors = true;
+        Boolean allResults = true;
+        Boolean showOutput = true;
+
+        SelectUtil.executeQuery(sql, application, request, response, showErrors, allResults, showOutput);
+    }
+
+}

src/main/java/com/waratek/spiracle/sql/servlet/sybase/Sybase_Get_int_no_quote.java

@@ -0,0 +1,81 @@
+/*
+ *  Copyright 2017 Waratek Ltd.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package com.waratek.spiracle.sql.servlet.sybase;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.waratek.spiracle.sql.servlet.util.ParameterNullFix;
+import com.waratek.spiracle.sql.util.SelectUtil;
+
+/**
+ * Servlet implementation class Get_int
+ */
+@WebServlet("/Sybase_Get_int_no_quote")
+public class Sybase_Get_int_no_quote extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * @see HttpServlet#HttpServlet()
+     */
+    public Sybase_Get_int_no_quote() {
+        super();
+        // TODO Auto-generated constructor stub
+    }
+
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    private void executeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        ServletContext application = this.getServletConfig().getServletContext();
+        List<String> queryStringList = new ArrayList<String>();
+        queryStringList.add("id");
+
+        Map<String, String> nullSanitizedMap = ParameterNullFix.sanitizeNull(queryStringList, request);
+
+        String id = nullSanitizedMap.get("id");
+
+        String sql = "SELECT * FROM users WHERE id = " + id;
+
+        Boolean showErrors = true;
+        Boolean allResults = true;
+        Boolean showOutput = true;
+
+        SelectUtil.executeQuery(sql, application, request, response, showErrors, allResults, showOutput);
+    }
+}

src/main/java/com/waratek/spiracle/sql/servlet/sybase/Sybase_Get_string.java

@@ -0,0 +1,82 @@
+/*
+ *  Copyright 2017 Waratek Ltd.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package com.waratek.spiracle.sql.servlet.sybase;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.waratek.spiracle.sql.servlet.util.ParameterNullFix;
+import com.waratek.spiracle.sql.util.SelectUtil;
+
+/**
+ * Servlet implementation class Get_string
+ */
+@WebServlet("/Sybase_Get_string")
+public class Sybase_Get_string extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * @see HttpServlet#HttpServlet()
+     */
+    public Sybase_Get_string() {
+        super();
+        // TODO Auto-generated constructor stub
+    }
+
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        executeRequest(request, response);
+    }
+
+    private void executeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        ServletContext application = this.getServletConfig().getServletContext();
+        List<String> queryStringList = new ArrayList<String>();
+        queryStringList.add("name");
+
+        Map<String, String> nullSanitizedMap = ParameterNullFix.sanitizeNull(queryStringList, request);
+
+        String name = nullSanitizedMap.get("name");
+
+        String sql = "SELECT * FROM users WHERE name = '" + name + "'";
+
+        Boolean showErrors = true;
+        Boolean allResults = true;
+        Boolean showOutput = true;
+
+        SelectUtil.executeQuery(sql, application, request, response, showErrors, allResults, showOutput);
+    }
+
+}