TUHRA Logo

Oracle JDeveloper 10g for Forms & PL/SQL Developers
Sample Code
Chapter 15
Section Preventing SQL Injection Attacks | Securing Find Mode
Code getViewCriteriaClause( )
Return to listings...

  public String getViewCriteriaClause(boolean forQuery) 
  {
    ViewCriteria viewCriteria = getViewCriteria();
    if (viewCriteria != null) 
    {
      AttributeDef[] attrs = viewCriteria.getViewObject().getAttributeDefs();
      StringBuffer columnNameListBuff = new StringBuffer();
      for (AttributeDef attr: attrs) 
      {
       columnNameListBuff.append(attr.getColumnName().toUpperCase());
       columnNameListBuff.append('|');
      }
      String columnNameList =
          columnNameListBuff.substring(0, columnNameListBuff.length() - 2);
      ViewCriteriaRow vcr = (ViewCriteriaRow)viewCriteria.first();
      while (vcr != null) 
      {
        for (AttributeDef attr : attrs) 
        {
          int index = attr.getIndex();
          String criteria = (String)vcr.getAttribute(index);
          if (criteria != null) 
          {
            boolean restricted = true;
            switch (attr.getSQLType()) 
            {
              case (Types.INTEGER):
              case (Types.NUMERIC):
              case (Types.DECIMAL):
              case (Types.DATE):
              case (Types.TIMESTAMP): 
              {
                restricted = false;
              }
              break;
            }  // end of switch
            String newCriteria =
                   detectInjection(criteria,columnNameList,restricted);
            vcr.setAttribute(index, newCriteria);
          }  // end of if (criteria != null)
        }  // end of for (AttributeDef attr: attrs)
        vcr = (ViewCriteriaRow)viewCriteria.next();
      }  // end of while (vcr != null)
    }  // end of if (viewCriteria != null)
    return super.getViewCriteriaClause(forQuery); 
  }  // end of method