From 0c109253a6e39a2c06269cf543fa95dcd8b6ba52 Mon Sep 17 00:00:00 2001
From: eitanMobb <165832608+eitanMobb@users.noreply.github.com>
Date: Wed, 19 Feb 2025 16:25:22 -0500
Subject: [PATCH 1/2] Update my naive sql.java

---
 my naive sql.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/my naive sql.java b/my naive sql.java
index 78e1515..13a79a5 100644
--- a/my naive sql.java	
+++ b/my naive sql.java	
@@ -11,6 +11,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         try {
             Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db");
             String user = request.getParameter("username");
+            String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "';";
+            Statement stmt = con.createStatement();
+
+            stmt.executeQuery(query);
         } catch (Exception e) {
             throw new ServletException(e);
         }

From c9fc9edb14bad6c5b23b45ba53b96d37a66a6c67 Mon Sep 17 00:00:00 2001
From: Mobb autofixer <git@mobb.ai>
Date: Wed, 19 Feb 2025 21:27:45 +0000
Subject: [PATCH 2/2] SQL Injection fix by
 mobb-2f839414-5b3f-44e8-8ede-3876197ae2cc

---
 my naive sql.java | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/my naive sql.java b/my naive sql.java
index 13a79a5..4cdbf57 100644
--- a/my naive sql.java	
+++ b/my naive sql.java	
@@ -1,3 +1,4 @@
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -11,10 +12,19 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         try {
             Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db");
             String user = request.getParameter("username");
-            String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "';";
-            Statement stmt = con.createStatement();
+            String query = "SELECT * FROM users WHERE username = '?';";
+            PreparedStatement stmt = con.prepareStatement(query);
 
-            stmt.executeQuery(query);
+            try {
+                stmt.setInt(1, Math.round(Float.parseFloat(request.getParameter("username"))));
+            } catch (NumberFormatException e) {
+                // MOBB: consider printing this message to logger: mobb-72204bd3d2910aa4632d5a5fedaadbec: Failed to convert input to type integer
+
+                // MOBB: using a default value for the SQL parameter in case the input is not convertible.
+                // This is important for preventing users from causing a denial of service to this application by throwing an exception here.
+                stmt.setInt(1, 0);
+            }
+            stmt.executeQuery();
         } catch (Exception e) {
             throw new ServletException(e);
         }