From 8d85b2da234981eff7f0faad7c5a077c18857e1e Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Thu, 10 Jan 2008 10:49:12 +0000 Subject: [PATCH] Change UpdateProfile to always use a PreparedStatement, to avoid SQL Injection attacks git-svn-id: http://webgoat.googlecode.com/svn/trunk@258 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../CrossSiteScripting/UpdateProfile.java | 60 +---------- .../DBCrossSiteScripting/UpdateProfile.java | 66 ++++++++---- .../GoatHillsFinancial/UpdateProfile.java | 102 +++++++----------- .../RoleBasedAccessControl/UpdateProfile.java | 59 +--------- .../UpdateProfile_i.java | 78 +++++++------- 5 files changed, 131 insertions(+), 234 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java index 9dd829fea..157a0e8b4 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java @@ -221,29 +221,6 @@ public class UpdateProfile extends DefaultLessonAction String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + " personal_description = ? WHERE userid = ?;"; - /** - String query = "UPDATE employee SET first_name = '" - + employee.getFirstName() + "', last_name = '" - + employee.getLastName() + "', ssn = '" + employee.getSsn() - + "', title = '" + employee.getTitle() + "', phone = '" - + employee.getPhoneNumber() + "', address1 = '" - + employee.getAddress1() + "', address2 = '" - + employee.getAddress2() + "', manager = " - + employee.getManager() - + ", start_date = '" - + employee.getStartDate() - + "', ccn = '" - + employee.getCcn() - + "', ccn_limit = " - + employee.getCcnLimit() - + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" - + employee.getPersonalDescription() + "' WHERE userid = " - + subjectId; - **/ - //System.out.println("Query: " + query); try { PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -261,12 +238,6 @@ public class UpdateProfile extends DefaultLessonAction ps.setInt(11, employee.getCcnLimit()); ps.setString(12, employee.getPersonalDescription()); ps.setInt(13, subjectId); - /** - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - **/ - //ps.executeUpdate(query); ps.execute(); } catch (SQLException sqle) @@ -293,29 +264,6 @@ public class UpdateProfile extends DefaultLessonAction String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + " personal_description = ? WHERE userid = ?;"; - /** - String query = "UPDATE employee SET first_name = '" - + employee.getFirstName() + "', last_name = '" - + employee.getLastName() + "', ssn = '" + employee.getSsn() - + "', title = '" + employee.getTitle() + "', phone = '" - + employee.getPhoneNumber() + "', address1 = '" - + employee.getAddress1() + "', address2 = '" - + employee.getAddress2() + "', manager = " - + employee.getManager() - + ", start_date = '" - + employee.getStartDate() - + "', ccn = '" - + employee.getCcn() - + "', ccn_limit = " - + employee.getCcnLimit() - + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" - + employee.getPersonalDescription() + "' WHERE userid = " - + subjectId; - **/ - //System.out.println("Query: " + query); try { PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -333,11 +281,6 @@ public class UpdateProfile extends DefaultLessonAction ps.setInt(11, employee.getCcnLimit()); ps.setString(12, employee.getPersonalDescription()); ps.setInt(13, subjectId); - /** - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - **/ ps.executeUpdate(query); } catch (SQLException sqle) @@ -361,7 +304,8 @@ public class UpdateProfile extends DefaultLessonAction try { // FIXME: Cannot choose the id because we cannot guarantee uniqueness - String query = "INSERT INTO employee VALUES ( max(userid)+1, ?,?,?,?,?,?,?,?,?,?,?,?,?,?)"; + int nextId = getNextUID(s); + String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)"; //System.out.println("Query: " + query); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java index 4085d0ba5..a09008621 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java @@ -1,6 +1,8 @@ package org.owasp.webgoat.lessons.DBCrossSiteScripting; import java.sql.CallableStatement; +import java.sql.PreparedStatement; +import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -201,28 +203,29 @@ public class UpdateProfile extends DefaultLessonAction { try { - // FIXME: Cannot choose the id because we cannot guarantee uniqueness - String query = "INSERT INTO employee VALUES ( max(userid)+1, '" - + employee.getFirstName() + "','" + employee.getLastName() - + "','" + employee.getSsn() + "','" - + employee.getFirstName().toLowerCase() + "','" - + employee.getTitle() + "','" + employee.getPhoneNumber() - + "','" + employee.getAddress1() + "','" - + employee.getAddress2() + "'," + employee.getManager() - + ",'" + employee.getStartDate() + "'," - + employee.getSalary() + ",'" + employee.getCcn() + "'," - + employee.getCcnLimit() + ",'" - + employee.getDisciplinaryActionDate() + "','" - + employee.getDisciplinaryActionNotes() + "','" - + employee.getPersonalDescription() + "')"; - - //System.out.println("Query: " + query); + int nextId = getNextUID(s); + String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)"; try { - Statement statement = WebSession.getConnection(s) - .createStatement(); - statement.executeUpdate(query); + PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query); + + ps.setString(1, employee.getFirstName().toLowerCase()); + ps.setString(2, employee.getLastName()); + ps.setString(3, employee.getSsn()); + ps.setString(4, employee.getTitle()); + ps.setString(5, employee.getPhoneNumber()); + ps.setString(6, employee.getAddress1()); + ps.setString(7, employee.getAddress2()); + ps.setInt(8, employee.getManager()); + ps.setString(9, employee.getStartDate()); + ps.setString(10, employee.getCcn()); + ps.setInt(11, employee.getCcnLimit()); + ps.setString(12, employee.getDisciplinaryActionDate()); + ps.setString(13, employee.getDisciplinaryActionNotes()); + ps.setString(14, employee.getPersonalDescription()); + + ps.execute(); } catch (SQLException sqle) { @@ -237,4 +240,29 @@ public class UpdateProfile extends DefaultLessonAction } } + private int getNextUID(WebSession s) + { + int uid = -1; + try + { + Statement statement = WebSession.getConnection(s).createStatement( + ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement + .executeQuery("select max(userid) as uid from employee"); + results.first(); + uid = results.getInt("uid"); + } + catch (SQLException sqle) + { + sqle.printStackTrace(); + s.setMessage("Error updating employee profile"); + } + catch (ClassNotFoundException e) + { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return uid + 1; + } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java index 81d3211a2..487ef3180 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.GoatHillsFinancial; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -140,33 +141,27 @@ public class UpdateProfile extends DefaultLessonAction try { // Note: The password field is ONLY set by ChangePassword - String query = "UPDATE employee SET first_name = '" - + employee.getFirstName() + "', last_name = '" - + employee.getLastName() + "', ssn = '" + employee.getSsn() - + "', title = '" + employee.getTitle() + "', phone = '" - + employee.getPhoneNumber() + "', address1 = '" - + employee.getAddress1() + "', address2 = '" - + employee.getAddress2() + "', manager = " - + employee.getManager() - + ", start_date = '" - + employee.getStartDate() - + "', ccn = '" - + employee.getCcn() - + "', ccn_limit = " - + employee.getCcnLimit() - + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" - + employee.getPersonalDescription() + "' WHERE userid = " - + subjectId; - //System.out.println("Query: " + query); + String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + + " personal_description = ? WHERE userid = ?;"; try { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - answer_statement.execute(query); + PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + + ps.setString(1, employee.getFirstName()); + ps.setString(2, employee.getLastName()); + ps.setString(3, employee.getSsn()); + ps.setString(4, employee.getTitle()); + ps.setString(5, employee.getPhoneNumber()); + ps.setString(6, employee.getAddress1()); + ps.setString(7, employee.getAddress2()); + ps.setInt(8, employee.getManager()); + ps.setString(9, employee.getStartDate()); + ps.setString(10, employee.getCcn()); + ps.setInt(11, employee.getCcnLimit()); + ps.setString(12, employee.getPersonalDescription()); + ps.setInt(13, subjectId); + ps.execute(); } catch (SQLException sqle) { @@ -213,55 +208,40 @@ public class UpdateProfile extends DefaultLessonAction { try { - int newUID = getNextUID(s); - // FIXME: This max() thing doesn't work on InstantDB. - String query = "INSERT INTO employee VALUES (" + newUID + ", '" - + employee.getFirstName() + "','" + employee.getLastName() - + "','" + employee.getSsn() + "','goober57x','" - + employee.getTitle() + "','" + employee.getPhoneNumber() - + "','" + employee.getAddress1() + "','" - + employee.getAddress2() + "'," + employee.getManager() - + ",'" + employee.getStartDate() + "'," - + employee.getSalary() + ",'" + employee.getCcn() + "'," - + employee.getCcnLimit() + ",'" - + employee.getDisciplinaryActionDate() + "','" - + employee.getDisciplinaryActionNotes() + "','" - + employee.getPersonalDescription() + "')"; - - //System.out.println("Query: " + query); + int nextId = getNextUID(s); + String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)"; try { - Statement statement = WebSession.getConnection(s) - .createStatement(); - statement.executeUpdate(query); + PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query); + + ps.setString(1, employee.getFirstName().toLowerCase()); + ps.setString(2, employee.getLastName()); + ps.setString(3, employee.getSsn()); + ps.setString(4, employee.getTitle()); + ps.setString(5, employee.getPhoneNumber()); + ps.setString(6, employee.getAddress1()); + ps.setString(7, employee.getAddress2()); + ps.setInt(8, employee.getManager()); + ps.setString(9, employee.getStartDate()); + ps.setString(10, employee.getCcn()); + ps.setInt(11, employee.getCcnLimit()); + ps.setString(12, employee.getDisciplinaryActionDate()); + ps.setString(13, employee.getDisciplinaryActionNotes()); + ps.setString(14, employee.getPersonalDescription()); + + ps.execute(); } catch (SQLException sqle) { - sqle.printStackTrace(); s.setMessage("Error updating employee profile"); - } - - query = "INSERT INTO roles VALUES (" + newUID + ", 'hr')"; - - //System.out.println("Query: " + query); - - try - { - Statement statement = WebSession.getConnection(s) - .createStatement(); - statement.executeUpdate(query); - } - catch (SQLException sqle) - { sqle.printStackTrace(); - s.setMessage("Error updating employee profile"); } } catch (Exception e) { - e.printStackTrace(); s.setMessage("Error updating employee profile"); + e.printStackTrace(); } } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java index f825ad3b6..f5bddc3a0 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java @@ -151,29 +151,6 @@ public class UpdateProfile extends DefaultLessonAction String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + " personal_description = ? WHERE userid = ?;"; - /** - String query = "UPDATE employee SET first_name = '" - + employee.getFirstName() + "', last_name = '" - + employee.getLastName() + "', ssn = '" + employee.getSsn() - + "', title = '" + employee.getTitle() + "', phone = '" - + employee.getPhoneNumber() + "', address1 = '" - + employee.getAddress1() + "', address2 = '" - + employee.getAddress2() + "', manager = " - + employee.getManager() - + ", start_date = '" - + employee.getStartDate() - + "', ccn = '" - + employee.getCcn() - + "', ccn_limit = " - + employee.getCcnLimit() - + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" - + employee.getPersonalDescription() + "' WHERE userid = " - + subjectId; - **/ - //System.out.println("Query: " + query); try { PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -191,12 +168,6 @@ public class UpdateProfile extends DefaultLessonAction ps.setInt(11, employee.getCcnLimit()); ps.setString(12, employee.getPersonalDescription()); ps.setInt(13, subjectId); - /** - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - **/ - //ps.executeUpdate(query); ps.execute(); } catch (SQLException sqle) @@ -223,29 +194,6 @@ public class UpdateProfile extends DefaultLessonAction String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + " personal_description = ? WHERE userid = ?;"; - /** - String query = "UPDATE employee SET first_name = '" - + employee.getFirstName() + "', last_name = '" - + employee.getLastName() + "', ssn = '" + employee.getSsn() - + "', title = '" + employee.getTitle() + "', phone = '" - + employee.getPhoneNumber() + "', address1 = '" - + employee.getAddress1() + "', address2 = '" - + employee.getAddress2() + "', manager = " - + employee.getManager() - + ", start_date = '" - + employee.getStartDate() - + "', ccn = '" - + employee.getCcn() - + "', ccn_limit = " - + employee.getCcnLimit() - + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" - + employee.getPersonalDescription() + "' WHERE userid = " - + subjectId; - **/ - //System.out.println("Query: " + query); try { PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -263,11 +211,6 @@ public class UpdateProfile extends DefaultLessonAction ps.setInt(11, employee.getCcnLimit()); ps.setString(12, employee.getPersonalDescription()); ps.setInt(13, subjectId); - /** - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - **/ ps.executeUpdate(query); } catch (SQLException sqle) @@ -284,7 +227,7 @@ public class UpdateProfile extends DefaultLessonAction } } - private int getNextUID(WebSession s) + protected int getNextUID(WebSession s) { int uid = -1; try diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java index 1a7a03824..289097e3d 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -42,26 +43,27 @@ public class UpdateProfile_i extends UpdateProfile try { // Note: The password field is ONLY set by ChangePassword - String query = "UPDATE employee SET first_name = '" + employee.getFirstName() + - "', last_name = '" + employee.getLastName() + - "', ssn = '" + employee.getSsn() + - "', title = '" + employee.getTitle() + - "', phone = '" + employee.getPhoneNumber() + - "', address1 = '" + employee.getAddress1() + - "', address2 = '" + employee.getAddress2() + - "', manager = " + employee.getManager() + - ", start_date = '" + employee.getStartDate() + - "', ccn = '" + employee.getCcn() + - "', ccn_limit = " + employee.getCcnLimit() + - // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + - // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + - ", personal_description = '" + employee.getPersonalDescription() + - "' WHERE userid = " + subjectId; - //System.out.println("Query: " + query); + String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?," + + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?," + + " personal_description = ? WHERE userid = ?;"; try { - Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); - answer_statement.execute( query ); + PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + + ps.setString(1, employee.getFirstName()); + ps.setString(2, employee.getLastName()); + ps.setString(3, employee.getSsn()); + ps.setString(4, employee.getTitle()); + ps.setString(5, employee.getPhoneNumber()); + ps.setString(6, employee.getAddress1()); + ps.setString(7, employee.getAddress2()); + ps.setInt(8, employee.getManager()); + ps.setString(9, employee.getStartDate()); + ps.setString(10, employee.getCcn()); + ps.setInt(11, employee.getCcnLimit()); + ps.setString(12, employee.getPersonalDescription()); + ps.setInt(13, subjectId); + ps.execute(); } catch ( SQLException sqle ) { @@ -91,31 +93,31 @@ public class UpdateProfile_i extends UpdateProfile try { // FIXME: Cannot choose the id because we cannot guarantee uniqueness - String query = "INSERT INTO employee VALUES ( max(userid)+1, '" - + employee.getFirstName() + "','" - + employee.getLastName() + "','" - + employee.getSsn() + "','" - + employee.getFirstName().toLowerCase() + "','" - + employee.getTitle() + "','" - + employee.getPhoneNumber() + "','" - + employee.getAddress1() + "','" - + employee.getAddress2() + "'," - + employee.getManager() + ",'" - + employee.getStartDate() + "'," - + employee.getSalary() + ",'" - + employee.getCcn() + "'," - + employee.getCcnLimit() + ",'" - + employee.getDisciplinaryActionDate() + "','" - + employee.getDisciplinaryActionNotes() + "','" - + employee.getPersonalDescription() - + "')"; + int nextId = getNextUID(s); + String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)"; //System.out.println("Query: " + query); try { - Statement statement = WebSession.getConnection(s).createStatement(); - statement.executeUpdate(query); + PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query); + + ps.setString(1, employee.getFirstName().toLowerCase()); + ps.setString(2, employee.getLastName()); + ps.setString(3, employee.getSsn()); + ps.setString(4, employee.getTitle()); + ps.setString(5, employee.getPhoneNumber()); + ps.setString(6, employee.getAddress1()); + ps.setString(7, employee.getAddress2()); + ps.setInt(8, employee.getManager()); + ps.setString(9, employee.getStartDate()); + ps.setString(10, employee.getCcn()); + ps.setInt(11, employee.getCcnLimit()); + ps.setString(12, employee.getDisciplinaryActionDate()); + ps.setString(13, employee.getDisciplinaryActionNotes()); + ps.setString(14, employee.getPersonalDescription()); + + ps.execute(); } catch ( SQLException sqle ) {