package org.owasp.webgoat.plugin.crosssitescripting;

import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Employee;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.ParameterParser;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/cross-site-scripting-1.0.jar:org/owasp/webgoat/plugin/crosssitescripting/UpdateProfileCrossSiteScripting.class */
public class UpdateProfileCrossSiteScripting extends DefaultLessonAction {
    private LessonAction chainedAction;

    public UpdateProfileCrossSiteScripting(GoatHillsFinancial goatHillsFinancial, String str, String str2, LessonAction lessonAction) {
        super(goatHillsFinancial, str, str2);
        this.chainedAction = lessonAction;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction, org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction
    public void handleRequest(WebSession webSession) throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException {
        if (!isAuthenticated(webSession)) {
            throw new UnauthenticatedException();
        }
        int intSessionAttribute = getIntSessionAttribute(webSession, getLessonName() + "." + GoatHillsFinancial.USER_ID);
        int intParameter = webSession.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID, 0);
        try {
            Employee parseEmployeeProfile = parseEmployeeProfile(intParameter, webSession);
            if (intParameter > 0) {
                changeEmployeeProfile(webSession, intSessionAttribute, intParameter, parseEmployeeProfile);
                setRequestAttribute(webSession, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(intParameter));
            } else {
                createEmployeeProfile(webSession, intSessionAttribute, parseEmployeeProfile);
            }
            try {
                this.chainedAction.handleRequest(webSession);
            } catch (UnauthenticatedException e) {
                e.printStackTrace();
            } catch (UnauthorizedException e2) {
                e2.printStackTrace();
            }
        } catch (ValidationException e3) {
            if (CrossSiteScripting.STAGE2.equals(getStage(webSession))) {
                setStageComplete(webSession, CrossSiteScripting.STAGE2);
            }
            throw e3;
        }
    }

    protected Employee parseEmployeeProfile(int i, WebSession webSession) throws ParameterNotFoundException, ValidationException {
        HttpServletRequest request = webSession.getRequest();
        return new Employee(i, request.getParameter(GoatHillsFinancial.FIRST_NAME), request.getParameter(GoatHillsFinancial.LAST_NAME), request.getParameter(GoatHillsFinancial.SSN), request.getParameter("title"), request.getParameter(GoatHillsFinancial.PHONE_NUMBER), request.getParameter(GoatHillsFinancial.ADDRESS1), request.getParameter(GoatHillsFinancial.ADDRESS2), Integer.parseInt(request.getParameter("manager")), request.getParameter(GoatHillsFinancial.START_DATE), Integer.parseInt(request.getParameter(GoatHillsFinancial.SALARY)), request.getParameter(GoatHillsFinancial.CCN), Integer.parseInt(request.getParameter(GoatHillsFinancial.CCN_LIMIT)), request.getParameter(GoatHillsFinancial.DISCIPLINARY_DATE), request.getParameter(GoatHillsFinancial.DISCIPLINARY_NOTES), request.getParameter("description"));
    }

    protected Employee parseEmployeeProfile_BACKUP(int i, WebSession webSession) throws ParameterNotFoundException, ValidationException {
        HttpServletRequest request = webSession.getRequest();
        return new Employee(i, request.getParameter(GoatHillsFinancial.FIRST_NAME), request.getParameter(GoatHillsFinancial.LAST_NAME), request.getParameter(GoatHillsFinancial.SSN), request.getParameter("title"), request.getParameter(GoatHillsFinancial.PHONE_NUMBER), request.getParameter(GoatHillsFinancial.ADDRESS1), request.getParameter(GoatHillsFinancial.ADDRESS2), Integer.parseInt(request.getParameter("manager")), request.getParameter(GoatHillsFinancial.START_DATE), Integer.parseInt(request.getParameter(GoatHillsFinancial.SALARY)), request.getParameter(GoatHillsFinancial.CCN), Integer.parseInt(request.getParameter(GoatHillsFinancial.CCN_LIMIT)), request.getParameter(GoatHillsFinancial.DISCIPLINARY_DATE), request.getParameter(GoatHillsFinancial.DISCIPLINARY_NOTES), request.getParameter("description"));
    }

    protected Employee doParseEmployeeProfile(int i, ParameterParser parameterParser) throws ParameterNotFoundException, ValidationException {
        return null;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction, org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction
    public String getNextPage(WebSession webSession) {
        return GoatHillsFinancial.VIEWPROFILE_ACTION;
    }

    public void changeEmployeeProfile(WebSession webSession, int i, int i2, Employee employee) throws UnauthorizedException {
        try {
            try {
                PreparedStatement prepareStatement = WebSession.getConnection(webSession).prepareStatement("UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?, manager = ?, start_date = ?, ccn = ?, ccn_limit = ?, personal_description = ? WHERE userid = ?;", 1004, 1007);
                prepareStatement.setString(1, employee.getFirstName());
                prepareStatement.setString(2, employee.getLastName());
                prepareStatement.setString(3, employee.getSsn());
                prepareStatement.setString(4, employee.getTitle());
                prepareStatement.setString(5, employee.getPhoneNumber());
                prepareStatement.setString(6, employee.getAddress1());
                prepareStatement.setString(7, employee.getAddress2());
                prepareStatement.setInt(8, employee.getManager());
                prepareStatement.setString(9, employee.getStartDate());
                prepareStatement.setString(10, employee.getCcn());
                prepareStatement.setInt(11, employee.getCcnLimit());
                prepareStatement.setString(12, employee.getPersonalDescription());
                prepareStatement.setInt(13, i2);
                prepareStatement.execute();
            } catch (SQLException e) {
                webSession.setMessage("Error updating employee profile");
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage("Error updating employee profile");
            e2.printStackTrace();
        }
    }

    public void doChangeEmployeeProfile_BACKUP(WebSession webSession, int i, int i2, Employee employee) throws UnauthorizedException {
        try {
            try {
                PreparedStatement prepareStatement = WebSession.getConnection(webSession).prepareStatement("UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?, manager = ?, start_date = ?, ccn = ?, ccn_limit = ?, personal_description = ? WHERE userid = ?;", 1004, 1007);
                prepareStatement.setString(1, employee.getFirstName());
                prepareStatement.setString(2, employee.getLastName());
                prepareStatement.setString(3, employee.getSsn());
                prepareStatement.setString(4, employee.getTitle());
                prepareStatement.setString(5, employee.getPhoneNumber());
                prepareStatement.setString(6, employee.getAddress1());
                prepareStatement.setString(7, employee.getAddress2());
                prepareStatement.setInt(8, employee.getManager());
                prepareStatement.setString(9, employee.getStartDate());
                prepareStatement.setString(10, employee.getCcn());
                prepareStatement.setInt(11, employee.getCcnLimit());
                prepareStatement.setString(12, employee.getPersonalDescription());
                prepareStatement.setInt(13, i2);
                prepareStatement.executeUpdate("UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?, manager = ?, start_date = ?, ccn = ?, ccn_limit = ?, personal_description = ? WHERE userid = ?;");
            } catch (SQLException e) {
                webSession.setMessage("Error updating employee profile");
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage("Error updating employee profile");
            e2.printStackTrace();
        }
    }

    public void createEmployeeProfile(WebSession webSession, int i, Employee employee) throws UnauthorizedException {
        try {
            try {
                PreparedStatement prepareStatement = WebSession.getConnection(webSession).prepareStatement("INSERT INTO employee VALUES ( " + getNextUID(webSession) + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
                prepareStatement.setString(1, employee.getFirstName().toLowerCase());
                prepareStatement.setString(2, employee.getLastName());
                prepareStatement.setString(3, employee.getSsn());
                prepareStatement.setString(4, employee.getTitle());
                prepareStatement.setString(5, employee.getPhoneNumber());
                prepareStatement.setString(6, employee.getAddress1());
                prepareStatement.setString(7, employee.getAddress2());
                prepareStatement.setInt(8, employee.getManager());
                prepareStatement.setString(9, employee.getStartDate());
                prepareStatement.setString(10, employee.getCcn());
                prepareStatement.setInt(11, employee.getCcnLimit());
                prepareStatement.setString(12, employee.getDisciplinaryActionDate());
                prepareStatement.setString(13, employee.getDisciplinaryActionNotes());
                prepareStatement.setString(14, employee.getPersonalDescription());
                prepareStatement.execute();
            } catch (SQLException e) {
                webSession.setMessage("Error updating employee profile");
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage("Error updating employee profile");
            e2.printStackTrace();
        }
    }

    public void createEmployeeProfile_BACKUP(WebSession webSession, int i, Employee employee) throws UnauthorizedException {
        try {
            try {
                PreparedStatement prepareStatement = WebSession.getConnection(webSession).prepareStatement("INSERT INTO employee VALUES ( " + getNextUID(webSession) + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
                prepareStatement.setString(1, employee.getFirstName().toLowerCase());
                prepareStatement.setString(2, employee.getLastName());
                prepareStatement.setString(3, employee.getSsn());
                prepareStatement.setString(4, employee.getTitle());
                prepareStatement.setString(5, employee.getPhoneNumber());
                prepareStatement.setString(6, employee.getAddress1());
                prepareStatement.setString(7, employee.getAddress2());
                prepareStatement.setInt(8, employee.getManager());
                prepareStatement.setString(9, employee.getStartDate());
                prepareStatement.setString(10, employee.getCcn());
                prepareStatement.setInt(11, employee.getCcnLimit());
                prepareStatement.setString(12, employee.getDisciplinaryActionDate());
                prepareStatement.setString(13, employee.getDisciplinaryActionNotes());
                prepareStatement.setString(14, employee.getPersonalDescription());
                prepareStatement.execute();
            } catch (SQLException e) {
                webSession.setMessage("Error updating employee profile");
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage("Error updating employee profile");
            e2.printStackTrace();
        }
    }

    protected String validate(String str, Pattern pattern) throws ValidationException {
        if (pattern.matcher(str).matches()) {
            return str;
        }
        throw new ValidationException();
    }

    private int getNextUID(WebSession webSession) {
        int i = -1;
        try {
            ResultSet executeQuery = WebSession.getConnection(webSession).createStatement(1004, 1007).executeQuery("select max(userid) as uid from employee");
            executeQuery.first();
            i = executeQuery.getInt("uid");
        } catch (SQLException e) {
            e.printStackTrace();
            webSession.setMessage("Error updating employee profile");
        }
        return i + 1;
    }
}
