Restructured the baseline to remove extra src/main directory structure. Added eclipes project file

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507

webapp/lessons/SQLInjection/EditProfile.jsp

@@ -0,0 +1,133 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	Employee employee = (Employee) session.getAttribute("SQLInjection.Employee");
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
+		<div class="lesson_text">
+			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+				<Table>
+				<TR><TD>
+						First Name:
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
+					</TD>
+					<TD>				
+						Last Name:
+					</TD>
+					<TD>
+					 	<input class="lesson_text_db" name="<%=SQLInjection.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<input class="lesson_text_db" name="<%=SQLInjection.SSN%>" type="text" value="<%=employee.getSsn()%>"/> 
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.DESCRIPTION%>" type="text" value="<%=employee.getPersonalDescription()%>"/>
+					</TD>
+					<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<select class="lesson_text_db" name="<%=SQLInjection.MANAGER%>">
+						<%
+				      	List employees = (List) session.getAttribute("SQLInjection.Staff");
+				      	Iterator i = employees.iterator();
+						while (i.hasNext())
+						{
+							EmployeeStub stub = (EmployeeStub) i.next();
+								%>
+								<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
+						<%}%>
+						</select>
+					</TD>	
+				</TR>
+				<TR><TD>
+						Disciplinary Explanation: 
+					</TD>
+					<TD>
+						<textarea name="<%=SQLInjection.DISCIPLINARY_NOTES%>"  cols="16" rows="3" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
+					</TD>
+					<TD>				
+						Disciplinary Action Dates: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=SQLInjection.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
+					</TD>
+				</TR>
+				</Table>
+				<BR>
+				<div class="lesson_buttons_bottom">
+				<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+               		<tr>
+                     		<td width="57">
+							<input type="submit" name="action" value="<%=SQLInjection.VIEWPROFILE_ACTION%>"/>
+				  		</td>
+				  		
+                       	<td width="81">
+ 							<input name="<%=SQLInjection.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
+							<input name="<%=SQLInjection.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
+							<input type="submit" name="action" value="<%=SQLInjection.UPDATEPROFILE_ACTION%>"/>
+						</td>
+                        	<td width="211"></td>
+                        	<td width="83">
+	 						<input type="submit" name="action" value="<%=SQLInjection.LOGOUT_ACTION%>"/>
+						</td>
+                 	</tr>
+              	</table>			
+			</div></form>
+		</div>	

webapp/lessons/SQLInjection/ListStaff.jsp

@@ -0,0 +1,57 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	int myUserId = webSession.getUserIdInLesson();
+%>
+	<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
+		<br>
+		<br>
+		<br>
+		<p>Select from the list below	</p>
+
+		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+  <table width="60%" border="0" cellpadding="3">
+    <tr>
+      <td>  <label>
+  <select name="<%=SQLInjection.EMPLOYEE_ID%>" size="11">
+			      	<%
+			      	List employees = (List) session.getAttribute("SQLInjection." + SQLInjection.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
+					while (i.hasNext())
+					{
+						stub = (EmployeeStub) i.next();%>
+						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
+					}%>
+  </select>
+  </label></td>
+      <td>
+	        	<input type="submit" name="action" value="<%=SQLInjection.SEARCHSTAFF_ACTION%>"/><br>
+	        	<input type="submit" name="action" value="<%=SQLInjection.VIEWPROFILE_ACTION%>"/><br>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, SQLInjection.CREATEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" disabled name="action" value="<%=SQLInjection.CREATEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, SQLInjection.DELETEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+			<br>
+					<input type="submit" name="action" value="<%=SQLInjection.LOGOUT_ACTION%>"/>
+	  </td>
+    </tr>
+  </table>
+
+		</form>
+		

webapp/lessons/SQLInjection/Login.jsp

@@ -0,0 +1,32 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+	<div id="lesson_login">
+		<div id="lesson_login_txt">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			%>
+			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+			    	<label>
+			      	<select name="<%=SQLInjection.EMPLOYEE_ID%>">
+			      	<%
+			      	//System.out.println("Retrieving employees list");
+			      	List employees = (List) session.getAttribute("SQLInjection." + SQLInjection.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+					while (i.hasNext())
+					{
+						EmployeeStub stub = (EmployeeStub) i.next();
+					%>
+			      	<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
+					<%}%>
+	                </select>
+		        </label>
+				<br>
+			    	<label>Password
+			    		<input name="password" type="password" size="10" maxlength="8" />
+			    </label>
+				<br>
+				<input type="submit" name="action" value="<%=SQLInjection.LOGIN_ACTION%>"/>
+			</form>
+		</div>
+	</div>

webapp/lessons/SQLInjection/SQLInjection.css

@@ -0,0 +1,14 @@
+#lesson_wrapper {height: 435px;width: 500px;}
+#lesson_header {background-image: url(lessons/SQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
+.lesson_workspace {background-image: url(lessons/SQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
+.lesson_text {height: 240px;width: 460px;padding-top: 5px;}
+#lesson_buttons_bottom {height: 20px;width: 460px;}
+#lesson_b_b_left {width: 300px;float: left;}
+#lesson_b_b_right input {width: 100px;float: right;}
+.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}
+.lesson_workspace { }
+.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}
+.lesson_text_db {color: #0066FF}
+#lesson_login {background-image: url(lessons/SQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}
+#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}
+#lesson_search {background-image: url(lessons/SQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}

webapp/lessons/SQLInjection/SQLInjection.jsp

@@ -0,0 +1,26 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+<style>
+<jsp:include page="SQLInjection.css" />
+</style>
+<%
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+SQLInjection currentLesson = (SQLInjection) webSession.getCurrentLesson();
+%>
+<div id="lesson_wrapper">
+	<div id="lesson_header"></div>
+	<div class="lesson_workspace">
+	<%
+	String subViewPage = currentLesson.getPage(webSession);
+	if (subViewPage != null)
+	{
+		//System.out.println("Including sub view page: " + subViewPage);
+	%>
+	<jsp:include page="<%=subViewPage%>" />
+	<%
+	}
+	%>
+
+	</div>
+</div>

webapp/lessons/SQLInjection/SearchStaff.jsp

@@ -0,0 +1,22 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+	<div id="lesson_search">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			String searchedName = request.getParameter(SQLInjection.SEARCHNAME);
+			if (searchedName != null)
+			{
+			%>
+				Employee <%=searchedName%> not found.
+			<%
+			}
+			%>
+			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+			    	<label>Name
+					<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/>
+		        </label>
+				<br>
+				<input type="submit" name="action" value="<%=SQLInjection.FINDPROFILE_ACTION%>"/>
+			</form>
+	</div>

webapp/lessons/SQLInjection/ViewProfile.jsp

@@ -0,0 +1,154 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.SQLInjection.SQLInjection" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	Employee employee = (Employee) session.getAttribute("SQLInjection." + SQLInjection.EMPLOYEE_ATTRIBUTE_KEY);
+//	int myUserId = getIntSessionAttribute(webSession, "SQLInjection." + SQLInjection.USER_ID);
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
+		<div class="lesson_text">
+				<Table>
+				<TR><TD>
+						First Name:
+					</TD>
+					<TD>
+						<%=employee.getFirstName()%>
+					</TD>
+					<TD>				
+						Last Name:
+					</TD>
+					<TD>
+					 	<%=employee.getLastName()%>
+					</TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<%=employee.getAddress1()%>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<%=employee.getAddress2()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<%=employee.getPhoneNumber()%>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<%=employee.getStartDate()%>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<%=employee.getSsn()%>
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<%=employee.getSalary()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<%=employee.getCcn()%>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<%=employee.getCcnLimit()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD>
+						<%=employee.getPersonalDescription()%>
+					</TD>
+					<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<%=employee.getManager()%>
+					</TD>	
+				</TR>
+				<TR><TD>
+						Disciplinary Explanation: 
+					</TD>
+					<TD>
+						<%=employee.getDisciplinaryActionNotes()%>
+					</TD>
+					<TD>				
+						Disciplinary Action Dates: 
+					</TD>
+					<TD>
+						<%=employee.getDisciplinaryActionDate()%>
+					</TD>
+				</TR>
+				</Table>
+		</div>
+		<div class="lesson_buttons_bottom">
+		    <table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+                 <tr>
+                 	<td width="50">
+					 <%					
+					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION))
+					 {
+					 %>                	
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/>
+						</form>
+					 <%
+					 }
+					 %>
+					 </td>
+		             <td width="50">
+					 <%					
+					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION))
+					 {
+					 %>
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/>
+						</form>
+					<%
+					}
+					%>
+					</td>					
+                    <td width="60">
+					<%					
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION))
+					{
+					%>
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/>
+						</form>
+					<%
+					}
+					%>
+					</td>
+                      <td width="190">&nbsp;</td>
+                      <td width="76">
+						<form method="POST">
+							<input type="submit" name="action" value="<%=SQLInjection.LOGOUT_ACTION%>"/>
+						</form>
+					</td>
+				</tr>
+         	</table>
+		</div>

webapp/lessons/SQLInjection/error.jsp

@@ -0,0 +1,3 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	errorPage="" %>
+<br><br><br>An error has occurred.