Add a DB Cross Site Scripting lesson
git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -0,0 +1,253 @@
|
||||
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/**
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*
|
||||
*/
|
||||
public class DBCrossSiteScripting extends GoatHillsFinancial
|
||||
{
|
||||
private final static Integer DEFAULT_RANKING = new Integer(100);
|
||||
|
||||
public final static String STAGE1 = "Stage 1";
|
||||
|
||||
public final static String STAGE2 = "Stage 2";
|
||||
|
||||
protected void registerActions(String className)
|
||||
{
|
||||
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
|
||||
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
|
||||
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
|
||||
|
||||
// These actions are special in that they chain to other actions.
|
||||
registerAction(new Login(this, className, LOGIN_ACTION,
|
||||
getAction(LISTSTAFF_ACTION)));
|
||||
registerAction(new Logout(this, className, LOGOUT_ACTION,
|
||||
getAction(LOGIN_ACTION)));
|
||||
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
|
||||
getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new UpdateProfile(this, className,
|
||||
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new DeleteProfile(this, className,
|
||||
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the category attribute of the CrossSiteScripting object
|
||||
*
|
||||
* @return The category value
|
||||
*/
|
||||
public Category getDefaultCategory()
|
||||
{
|
||||
return Category.A4;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DirectoryScreen object
|
||||
*
|
||||
* @return The hints value
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
|
||||
// Stage 1
|
||||
hints.add("You can put HTML tags in form input fields.");
|
||||
hints
|
||||
.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
|
||||
hints
|
||||
.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields.");
|
||||
hints
|
||||
.add("Enter this: <script>alert(\"document.cookie\");</script> in message fields.");
|
||||
|
||||
// Stage 2
|
||||
hints
|
||||
.add("Many scripts rely on the use of special characters such as: <");
|
||||
hints
|
||||
.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
|
||||
hints
|
||||
.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the instructions attribute of the ParameterInjection object
|
||||
*
|
||||
* @return The instructions value
|
||||
*/
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
String instructions = "";
|
||||
|
||||
if (!getLessonTracker(s).getCompleted())
|
||||
{
|
||||
String stage = getStage(s);
|
||||
if (STAGE1.equals(stage))
|
||||
{
|
||||
instructions = "Execute a Stored Cross Site Scripting (XSS) attack.<br>"
|
||||
+ "For this exercise, your mission is to cause the application to serve a script of your making "
|
||||
+ " to some other user.";
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Block Stored XSS using Input Validation.<br>"
|
||||
+ "You will modify the stored procedure in the database to perform input validation on the vulnerable input field "
|
||||
+ "you just exploited.";
|
||||
}
|
||||
}
|
||||
|
||||
return instructions;
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getStages() {
|
||||
return new String[] {STAGE1, STAGE2};
|
||||
}
|
||||
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
if (s.getLessonSession(this) == null)
|
||||
s.openLessonSession(this);
|
||||
|
||||
String requestedActionName = null;
|
||||
try
|
||||
{
|
||||
requestedActionName = s.getParser().getStringParameter("action");
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// Let them eat login page.
|
||||
requestedActionName = LOGIN_ACTION;
|
||||
}
|
||||
|
||||
if (requestedActionName != null)
|
||||
{
|
||||
try
|
||||
{
|
||||
LessonAction action = getAction(requestedActionName);
|
||||
|
||||
if (action != null)
|
||||
{
|
||||
if (!action.requiresAuthentication()
|
||||
|| action.isAuthenticated(s))
|
||||
{
|
||||
action.handleRequest(s);
|
||||
//setCurrentAction(s, action.getNextPage(s));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
System.out.println("Missing parameter");
|
||||
pnfe.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ValidationException ve)
|
||||
{
|
||||
System.out.println("Validation failed");
|
||||
ve.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (UnauthenticatedException ue)
|
||||
{
|
||||
s.setMessage("Login failed");
|
||||
System.out.println("Authentication failure");
|
||||
ue.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
s.setMessage("You are not authorized to perform this function");
|
||||
System.out.println("Authorization failure");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// All other errors send the user to the generic error page
|
||||
System.out.println("handleRequest() error");
|
||||
e.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
}
|
||||
|
||||
// All this does for this lesson is ensure that a non-null content exists.
|
||||
setContent(new ElementContainer());
|
||||
}
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the CrossSiteScripting object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return "LAB: DB Cross Site Scripting (XSS)";
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean getDefaultHidden() {
|
||||
return ! getWebgoatContext().getDatabaseDriver().contains("oracle");
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,242 @@
|
||||
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
|
||||
|
||||
import java.sql.CallableStatement;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class UpdateProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
private LessonAction chainedAction;
|
||||
|
||||
|
||||
public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
this.chainedAction = chainedAction;
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException,
|
||||
ValidationException
|
||||
{
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
|
||||
HttpServletRequest request = s.getRequest();
|
||||
int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
|
||||
String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
|
||||
String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
|
||||
String ssn = request.getParameter(DBCrossSiteScripting.SSN);
|
||||
String title = request.getParameter(DBCrossSiteScripting.TITLE);
|
||||
String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
|
||||
String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
|
||||
String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
|
||||
int manager = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.MANAGER));
|
||||
String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
|
||||
int salary = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.SALARY));
|
||||
String ccn = request.getParameter(DBCrossSiteScripting.CCN);
|
||||
int ccnLimit = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.CCN_LIMIT));
|
||||
String disciplinaryActionDate = request
|
||||
.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = request
|
||||
.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request
|
||||
.getParameter(DBCrossSiteScripting.DESCRIPTION);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn,
|
||||
title, phone, address1, address2, manager, startDate, salary,
|
||||
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
try
|
||||
{
|
||||
if (subjectId > 0)
|
||||
{
|
||||
this.changeEmployeeProfile(s, userId, subjectId, employee);
|
||||
setRequestAttribute(s, getLessonName() + "."
|
||||
+ DBCrossSiteScripting.EMPLOYEE_ID, Integer
|
||||
.toString(subjectId));
|
||||
if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
|
||||
{
|
||||
address1 = address1.toLowerCase();
|
||||
boolean pass = address1.contains("<script>");
|
||||
pass &= address1.contains("alert");
|
||||
pass &= address1.contains("</script>");
|
||||
if (pass)
|
||||
{
|
||||
setStageComplete(s, DBCrossSiteScripting.STAGE1);
|
||||
s.setMessage("Congratulations, you have completed " + DBCrossSiteScripting.STAGE1);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
this.createEmployeeProfile(s, userId, employee);
|
||||
}
|
||||
catch (SQLException e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") &&
|
||||
!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
|
||||
{
|
||||
s
|
||||
.setMessage("You have successfully completed this lesson");
|
||||
setStageComplete(s, DBCrossSiteScripting.STAGE2);
|
||||
}
|
||||
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
chainedAction.handleRequest(s);
|
||||
}
|
||||
catch (UnauthenticatedException ue1)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue1.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return DBCrossSiteScripting.VIEWPROFILE_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
|
||||
Employee employee) throws SQLException, ClassNotFoundException
|
||||
{
|
||||
try
|
||||
{
|
||||
String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
|
||||
CallableStatement call = WebSession.getConnection(s).prepareCall(update);
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
call.setInt(1, userId);
|
||||
call.setString(2, employee.getFirstName());
|
||||
call.setString(3, employee.getLastName());
|
||||
call.setString(4, employee.getSsn());
|
||||
call.setString(5, employee.getTitle());
|
||||
call.setString(6, employee.getPhoneNumber());
|
||||
call.setString(7, employee.getAddress1());
|
||||
call.setString(8, employee.getAddress2());
|
||||
call.setInt(9, employee.getManager());
|
||||
call.setString(10, employee.getStartDate());
|
||||
call.setInt(11, employee.getSalary());
|
||||
call.setString(12, employee.getCcn());
|
||||
call.setInt(13, employee.getCcnLimit());
|
||||
call.setString(14, employee.getDisciplinaryActionDate());
|
||||
call.setString(15, employee.getDisciplinaryActionNotes());
|
||||
call.setString(16, employee.getPersonalDescription());
|
||||
call.executeUpdate();
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void createEmployeeProfile(WebSession s, int userId,
|
||||
Employee employee) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// FIXME: Cannot choose the id because we cannot guarantee uniqueness
|
||||
String query = "INSERT INTO employee VALUES ( max(userid)+1, '"
|
||||
+ employee.getFirstName() + "','" + employee.getLastName()
|
||||
+ "','" + employee.getSsn() + "','"
|
||||
+ employee.getFirstName().toLowerCase() + "','"
|
||||
+ employee.getTitle() + "','" + employee.getPhoneNumber()
|
||||
+ "','" + employee.getAddress1() + "','"
|
||||
+ employee.getAddress2() + "'," + employee.getManager()
|
||||
+ ",'" + employee.getStartDate() + "',"
|
||||
+ employee.getSalary() + ",'" + employee.getCcn() + "',"
|
||||
+ employee.getCcnLimit() + ",'"
|
||||
+ employee.getDisciplinaryActionDate() + "','"
|
||||
+ employee.getDisciplinaryActionNotes() + "','"
|
||||
+ employee.getPersonalDescription() + "')";
|
||||
|
||||
//System.out.println("Query: " + query);
|
||||
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s)
|
||||
.createStatement();
|
||||
statement.executeUpdate(query);
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,85 @@
|
||||
package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
|
||||
/* STAGE 2 FIXES
|
||||
Solution Summary (1. or 2.)
|
||||
1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
|
||||
a validation step. Oracle 10G now supports regular expressions.
|
||||
2. Apply a column constraint can also work IFF the existing data is clean
|
||||
|
||||
Solution Steps:
|
||||
1. Talk about the different database approaches.
|
||||
a. Apply validation in the UPDATE stored proc
|
||||
- Possible to bypass by not using that stored proc
|
||||
|
||||
b. Apply a table column constraint
|
||||
- Cannot be bypassed. The DB enforces the constraint under all conditions
|
||||
|
||||
2. Fix the stored proc
|
||||
|
||||
Define the pattern.
|
||||
Validate the field against the pattern.
|
||||
Raise an exception if invalid.
|
||||
|
||||
CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
|
||||
v_userid IN employee.userid%type,
|
||||
v_first_name IN employee.first_name%type,
|
||||
v_last_name IN employee.last_name%type,
|
||||
v_ssn IN employee.ssn%type,
|
||||
v_title IN employee.title%type,
|
||||
v_phone IN employee.phone%type,
|
||||
v_address1 IN employee.address1%type,
|
||||
v_address2 IN employee.address2%type,
|
||||
v_manager IN employee.manager%type,
|
||||
v_start_date IN employee.start_date%type,
|
||||
v_salary IN employee.salary%type,
|
||||
v_ccn IN employee.ccn%type,
|
||||
v_ccn_limit IN employee.ccn_limit%type,
|
||||
v_disciplined_date IN employee.disciplined_date%type,
|
||||
v_disciplined_notes IN employee.disciplined_notes%type,
|
||||
v_personal_description IN employee.personal_description%type
|
||||
)
|
||||
AS
|
||||
P_ADDRESS1 VARCHAR2(32000) := '^[a-zA-Z0-9,\. ]{0,80}$'; // Stage 2 - FIX
|
||||
BEGIN
|
||||
IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN // Stage 2 - FIX
|
||||
RAISE VALUE_ERROR; // Stage 2 - FIX
|
||||
END IF; // Stage 2 - FIX
|
||||
UPDATE EMPLOYEE
|
||||
SET
|
||||
first_name = v_first_name,
|
||||
last_name = v_last_name,
|
||||
ssn = v_ssn,
|
||||
title = v_title,
|
||||
phone = v_phone,
|
||||
address1 = v_address1,
|
||||
address2 = v_address2,
|
||||
manager = v_manager,
|
||||
start_date = v_Start_date,
|
||||
salary = v_salary,
|
||||
ccn = v_ccn,
|
||||
ccn_limit = v_ccn_limit,
|
||||
disciplined_date = v_disciplined_date,
|
||||
disciplined_notes = v_disciplined_notes,
|
||||
personal_description = v_personal_description
|
||||
WHERE
|
||||
userid = v_userid;
|
||||
END;
|
||||
/
|
||||
|
||||
3. Apply a table column constraint
|
||||
ALTER TABLE EMPLOYEE
|
||||
ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
|
||||
*/
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
{
|
||||
public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user