From e7e626491163a81b5ced4d409811a59421b63985 Mon Sep 17 00:00:00 2001
From: eitanMobb <165832608+eitanMobb@users.noreply.github.com>
Date: Tue, 10 Dec 2024 09:17:24 -0500
Subject: [PATCH 1/2] Update my naive sql.java

---
 my naive sql.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/my naive sql.java b/my naive sql.java
index 78e1515..13a79a5 100644
--- a/my naive sql.java	
+++ b/my naive sql.java	
@@ -11,6 +11,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         try {
             Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db");
             String user = request.getParameter("username");
+            String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "';";
+            Statement stmt = con.createStatement();
+
+            stmt.executeQuery(query);
         } catch (Exception e) {
             throw new ServletException(e);
         }

From 6fcea90ec6a16d136fe31719f0cc2fdf38a9a288 Mon Sep 17 00:00:00 2001
From: Mobb autofixer <git@mobb.ai>
Date: Tue, 10 Dec 2024 14:25:07 +0000
Subject: [PATCH 2/2] SQL Injection fix by
 mobb-e82982bd-e55d-4f1f-893f-146270dbe8a6

---
 my naive sql.java | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/my naive sql.java b/my naive sql.java
index 13a79a5..4cdbf57 100644
--- a/my naive sql.java	
+++ b/my naive sql.java	
@@ -1,3 +1,4 @@
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -11,10 +12,19 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         try {
             Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db");
             String user = request.getParameter("username");
-            String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "';";
-            Statement stmt = con.createStatement();
+            String query = "SELECT * FROM users WHERE username = '?';";
+            PreparedStatement stmt = con.prepareStatement(query);
 
-            stmt.executeQuery(query);
+            try {
+                stmt.setInt(1, Math.round(Float.parseFloat(request.getParameter("username"))));
+            } catch (NumberFormatException e) {
+                // MOBB: consider printing this message to logger: mobb-72204bd3d2910aa4632d5a5fedaadbec: Failed to convert input to type integer
+
+                // MOBB: using a default value for the SQL parameter in case the input is not convertible.
+                // This is important for preventing users from causing a denial of service to this application by throwing an exception here.
+                stmt.setInt(1, 0);
+            }
+            stmt.executeQuery();
         } catch (Exception e) {
             throw new ServletException(e);
         }