Fix database connetion handling.

Oracle requires us to close our connections after each
request (or else implement a connection pool), otherwise
we will end up running out of available connections.

While the mechanism for doing this was added in a previous
change, actually using it correctly was omitted somehow.
Fix that now.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@233 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java

@@ -57,8 +57,6 @@ import org.owasp.webgoat.session.WebSession;
 public class BackDoors extends SequentialLessonAdapter
 {
 
-	private static Connection connection = null;
-
 	private final static Integer DEFAULT_RANKING = new Integer(80);
 
 	private final static String USERNAME = "username";
@@ -96,7 +94,7 @@ public class BackDoors extends SequentialLessonAdapter
 			{
 				userInput = SELECT_ST + userInput;
 				String[] arrSQL = userInput.split(";");
-				Connection conn = getConnection(s);
+				Connection conn = DatabaseUtilities.getConnection(s);
 				Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
 						ResultSet.CONCUR_READ_ONLY);
 				if (arrSQL.length == 2)
@@ -239,17 +237,6 @@ public class BackDoors extends SequentialLessonAdapter
 		return ec;
 	}
 
-	public static synchronized Connection getConnection(WebSession s) throws SQLException,
-			ClassNotFoundException
-	{
-		if (connection == null)
-		{
-			connection = DatabaseUtilities.getConnection(s);
-		}
-
-		return connection;
-	}
-
 	public Element getCredits()
 	{
 		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java

@@ -57,8 +57,6 @@ public class BlindSqlInjection extends LessonAdapter
 
     private final static int TARGET_ACCT_NUM = 15613;
 
-    private static Connection connection = null;
-
     /**
      * Description of the Method
      * 
@@ -72,10 +70,7 @@ public class BlindSqlInjection extends LessonAdapter
 
 	try
 	{
-	    if (connection == null)
+	    Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    ec.addElement(new P().addElement("Enter your Account Number: "));
 
@@ -312,11 +307,6 @@ public class BlindSqlInjection extends LessonAdapter
 	try
 	{
 	    super.handleRequest(s);
-
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 	}
 	catch (Exception e)
 	{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java

@@ -65,7 +65,6 @@ public class CSRF extends LessonAdapter {
 	private final static String STANDARD_QUERY = "SELECT * FROM messages";
 	private final static String TITLE = "title";
 	private final static int TITLE_COL = 2;
-	private static Connection connection = null;
 	private static int count = 1;
 	private final static int USER_COL = 4;	// Added by Chuck Willis - used to show user who posted message
     private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
@@ -83,10 +82,7 @@ public class CSRF extends LessonAdapter {
 			String title = HtmlEncoder.encode( s.getParser().getRawParameter( TITLE, "" ) );
 			String message = s.getParser().getRawParameter( MESSAGE, "" );
 
-			if ( connection == null )
+			Connection connection = DatabaseUtilities.getConnection( s );
-			{
-				connection = DatabaseUtilities.getConnection( s );
-			}
 
 			String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
 
@@ -171,10 +167,7 @@ public class CSRF extends LessonAdapter {
 
 		try
 		{
-			if ( connection == null )
+			Connection connection = DatabaseUtilities.getConnection( s );
-			{
-				connection = DatabaseUtilities.getConnection( s );
-			}
 
 			Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
 			
@@ -226,11 +219,7 @@ public class CSRF extends LessonAdapter {
 		{
 			int messageNum = s.getParser().getIntParameter( NUMBER, 0 );
 
-			if ( connection == null )
+			Connection connection = DatabaseUtilities.getConnection( s );
-			{
-				connection = DatabaseUtilities.getConnection( s );
-			}
-
 			
 			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
 			PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java

@@ -118,8 +118,6 @@ public class Challenge2Screen extends SequentialLessonAdapter
 	 */
 	protected final static String USERNAME = "Username";
 
-	private static Connection connection = null;
-
 	private String pass = "goodbye";
 
 	private String user = "youaretheweakestlink";
@@ -207,10 +205,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			return doStage3(s);
 		}
 
-		if (connection == null)
+                Connection connection = DatabaseUtilities.getConnection(s);
-		{
-			connection = DatabaseUtilities.getConnection(s);
-		}
 
 		Statement statement3 = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
 				ResultSet.CONCUR_READ_ONLY);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java

@@ -69,9 +69,6 @@ public class DOS_Login extends LessonAdapter
      */
     protected final static String USERNAME = "Username";
 
-    private static Connection connection = null;
-
-
     /**
      *  Description of the Method
      *
@@ -97,10 +94,7 @@ public class DOS_Login extends LessonAdapter
 		    }
 	
 		    // Check if the login is valid
-		    if (connection == null)
+	    	Connection connection = DatabaseUtilities.getConnection(s);
-		    {
-		    	connection = DatabaseUtilities.getConnection(s);
-		    }
 	
 		    String query = "SELECT * FROM user_system_data WHERE user_name = '"
 			    + username + "' and password = '" + password + "'";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java

@@ -65,15 +65,6 @@ import org.owasp.webgoat.session.WebgoatContext;
 public class SoapRequest extends SequentialLessonAdapter
 {
 
-    /* TEST CODE
-     private final static String ACCT_NUM = "account_number";
-     private static Connection connection = null;
-     private String accountNumber;
-     */
-
-    //static boolean completed;
-    public static Connection connection = null;
-
     public final static String firstName = "getFirstName";
 
     public final static String lastName = "getLastName";
@@ -429,10 +420,6 @@ public class SoapRequest extends SequentialLessonAdapter
 	try
 	{
 	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    if (connection == null)
-	    {
-		return null;
-	    }
 	    PreparedStatement ps = connection
 		    .prepareStatement("SELECT * FROM user_data WHERE userid = ?");
 	    ps.setInt(1, id);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java

@@ -59,8 +59,6 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 {
     private final static String STATION_ID = "station";
 
-    private static Connection connection = null;
-
     private String station;
 
 
@@ -116,10 +114,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 	    if (station == null)
 		return ec;
 
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    try
 	    {
@@ -182,10 +177,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    ec.addElement(makeStationList(s));
 
@@ -282,10 +274,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 	    ClassNotFoundException
     {
 
-	if (connection == null)
+    Connection connection = DatabaseUtilities.getConnection(s);
-	{
-	    connection = DatabaseUtilities.getConnection(s);
-	}
 
 	Map<String, String> stations = new TreeMap<String, String>();
 	String query = "SELECT DISTINCT station, name FROM WEATHER_DATA";
@@ -388,11 +377,6 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 	try
 	{
 	    super.handleRequest(s);
-
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 	}
 	catch (Exception e)
 	{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java

@@ -55,8 +55,6 @@ public class SqlStringInjection extends SequentialLessonAdapter
 {
     private final static String ACCT_NAME = "account_name";
 
-    private static Connection connection = null;
-
     private static String STAGE = "stage";
 
     private String accountName;
@@ -92,10 +90,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    ec.addElement(makeAccountLine(s));
 
@@ -143,6 +138,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
 	    catch (SQLException sqle)
 	    {
 		ec.addElement(new P().addElement(sqle.getMessage()));
+		sqle.printStackTrace();
 	    }
 	}
 	catch (Exception e)
@@ -174,10 +170,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    ec.addElement(makeAccountLine(s));
 
@@ -304,11 +297,6 @@ public class SqlStringInjection extends SequentialLessonAdapter
 	try
 	{
 	    super.handleRequest(s);
-
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 	}
 	catch (Exception e)
 	{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java

@@ -73,8 +73,6 @@ public class StoredXss extends LessonAdapter
 
     private final static int TITLE_COL = 2;
 
-    private static Connection connection = null;
-
     private static int count = 1;
 
     private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted message
@@ -93,10 +91,7 @@ public class StoredXss extends LessonAdapter
 		    TITLE, ""));
 	    String message = s.getParser().getRawParameter(MESSAGE, "");
 
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
 
@@ -208,10 +203,7 @@ public class StoredXss extends LessonAdapter
 	{
 	    int messageNum = s.getParser().getIntParameter(NUMBER, 0);
 
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    // edit by Chuck Willis - Added logic to associate similar usernames
 	    // The idea is that users chuck-1, chuck-2, etc will see each other's messages
@@ -330,10 +322,7 @@ public class StoredXss extends LessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    Statement statement = connection.createStatement(
 		    ResultSet.TYPE_SCROLL_INSENSITIVE,

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java

@@ -54,8 +54,6 @@ public class ThreadSafetyProblem extends LessonAdapter
 	
     private final static String USER_NAME = "username";
 
-    private Connection connection = null;
-
     private static String currentUser;
 
     private String originalUser;
@@ -73,10 +71,7 @@ public class ThreadSafetyProblem extends LessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    ec.addElement(new StringElement("Enter user name: "));
 	    ec.addElement(new Input(Input.TEXT, USER_NAME, ""));
@@ -205,11 +200,6 @@ public class ThreadSafetyProblem extends LessonAdapter
 	try
 	{
 	    super.handleRequest(s);
-
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 	}
 	catch (Exception e)
 	{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java

@@ -80,8 +80,6 @@ public class WSDLScanning extends LessonAdapter
 
     static boolean beenRestartedYet = false;
 
-    public static Connection connection = null;
-
     public final static String firstName = "getFirstName";
 
     public final static String lastName = "getLastName";
@@ -219,10 +217,6 @@ public class WSDLScanning extends LessonAdapter
 	{
 	    String[] fields = s.getParser().getParameterValues("field");
 	    int id = s.getParser().getIntParameter("id");
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    Table t = new Table().setCellSpacing(0).setCellPadding(2)
 		    .setBorder(1);
@@ -292,10 +286,6 @@ public class WSDLScanning extends LessonAdapter
 	try
 	{
 	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    if (connection == null)
-	    {
-		return null;
-	    }
 	    PreparedStatement ps = connection
 		    .prepareStatement("SELECT * FROM user_data WHERE userid = ?");
 	    ps.setInt(1, id);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java

@@ -74,8 +74,6 @@ public class WsSqlInjection extends LessonAdapter
     final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg")
 	    .setAlt("Parasoft").setBorder(0).setHspace(0).setVspace(0);
 
-    private static Connection connection = null;
-
     /* (non-Javadoc)
      * @see lessons.AbstractLesson#getMenuItem()
      */
@@ -184,10 +182,6 @@ public class WsSqlInjection extends LessonAdapter
 	ElementContainer ec = new ElementContainer();
 	try
 	{
-	    if (connection == null)
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 	    ec.addElement(makeAccountLine(s));
 
 	    String query = "SELECT * FROM user_data WHERE userid = "
@@ -247,10 +241,6 @@ public class WsSqlInjection extends LessonAdapter
 	try
 	{
 	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    if (connection == null)
-	    {
-		return null;
-	    }
 	    String query = "SELECT * FROM user_data WHERE userid = " + id;
 	    try
 	    {

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java

@@ -49,9 +49,6 @@ public class ProductsAdminScreen extends LessonAdapter
 
     private final static String QUERY = "SELECT * FROM product_system_data";
 
-    private static Connection connection = null;
-
-
     /**
      *  Description of the Method
      *
@@ -64,10 +61,7 @@ public class ProductsAdminScreen extends LessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    Statement statement = connection.createStatement(
 		    ResultSet.TYPE_SCROLL_INSENSITIVE,

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java

@@ -49,9 +49,6 @@ public class RefreshDBScreen extends LessonAdapter
 
     private final static String REFRESH = "Refresh";
 
-    private static Connection connection = null;
-
-
     /**
      *  Description of the Method
      *
@@ -153,10 +150,7 @@ public class RefreshDBScreen extends LessonAdapter
     {
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    CreateDB db = new CreateDB();
 	    db.makeDB(connection);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java

@@ -49,9 +49,6 @@ public class UserAdminScreen extends LessonAdapter
 
     private final static String QUERY = "SELECT * FROM user_system_data";
 
-    private static Connection connection = null;
-
-
     /**
      *  Description of the Method
      *
@@ -64,10 +61,7 @@ public class UserAdminScreen extends LessonAdapter
 
 	try
 	{
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    Statement statement = connection.createStatement(
 		    ResultSet.TYPE_SCROLL_INSENSITIVE,

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java

@@ -50,9 +50,6 @@ public class ViewDatabase extends LessonAdapter
 
     private final static String SQL = "sql";
 
-    private static Connection connection = null;
-
-
     /**
      *  Description of the Method
      *
@@ -75,10 +72,7 @@ public class ViewDatabase extends LessonAdapter
 	    Element b = ECSFactory.makeButton("Go!");
 	    ec.addElement(b);
 
-	    if (connection == null)
+		Connection connection = DatabaseUtilities.getConnection(s);
-	    {
-		connection = DatabaseUtilities.getConnection(s);
-	    }
 
 	    if (sqlStatement.length() > 0)
 	    {

webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java

@@ -1,8 +1,6 @@
 package org.owasp.webgoat.session;
 
 import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 
@@ -42,92 +40,6 @@ import org.owasp.webgoat.lessons.AbstractLesson;
 public class CreateDB
 {
 
-    /**
-     * The main program for the AccessSqlInjection class
-     *
-     * @param args The command line arguments
-     */
-    public static void main(String[] args)
-    {
-
-	CreateDB db = new CreateDB();
-	Connection connection = null;
-
-	try
-	{
-	    Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
-	}
-	catch (Exception e)
-	{
-	    System.out.println("Failed to load DB driver");
-	    e.printStackTrace();
-	}
-
-	try
-	{
-
-	    connection = DriverManager
-		    .getConnection(
-			    "jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ=c:/webgoat.mdb;PWD=webgoat",
-			    "webgoat", "webgoat");
-	    db.makeDB(connection);
-	}
-	catch (Exception e)
-	{
-	    System.out.println("Driver Manager failed!");
-	    e.printStackTrace();
-	}
-
-	/**
-	 * getAllEmployees
-	 */
-	String query = "SELECT userid,first_name,last_name FROM employee WHERE userid in (SELECT employee_id FROM ownership WHERE employer_id = 101)";
-
-	try
-	{
-	    Statement answer_statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet answer_results = answer_statement.executeQuery(query);
-	    answer_results.first();
-	    int employeeId = answer_results.getInt("userid");
-	    String firstName = answer_results.getString("first_name");
-	    String lastName = answer_results.getString("last_name");
-	    System.out.println("Query 1 Results: " + firstName + " " + lastName
-		    + " " + employeeId);
-	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	}
-
-	/**
-	 * isAllowed
-	 */
-
-	query = "SELECT * FROM auth WHERE role in (SELECT role FROM roles WHERE userid = 101) and functionid = 113";
-
-	try
-	{
-	    Statement answer_statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet answer_results = answer_statement.executeQuery(query);
-	    boolean allowed = answer_results.first();
-	    //boolean allowed = answer_results.next();
-
-	    if (allowed)
-		System.out.println("User is allowed");
-	    else
-		System.out.println("User is NOT allowed");
-	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	}
-    }
-
-
     /**
      * Description of the Method
      *