package org.owasp.webgoat.plugin;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Option;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.Select;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.plugin.sqlinjection.SQLInjection;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/sql-numeric-injection-1.0.jar:org/owasp/webgoat/plugin/SqlNumericInjection.class */
public class SqlNumericInjection extends SequentialLessonAdapter {
    private static final String STATION_ID = "station";
    private String station;
    private static final Integer DEFAULT_RANKING = new Integer(70);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        return super.createStagedContent(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage1(WebSession webSession) throws Exception {
        return injectableQuery(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage2(WebSession webSession) throws Exception {
        return parameterizedQuery(webSession);
    }

    protected Element injectableQuery(WebSession webSession) {
        String str;
        ElementContainer elementContainer = new ElementContainer();
        try {
            elementContainer.addElement(makeStationList(webSession));
            this.station = webSession.getParser().getRawParameter(STATION_ID, null);
            str = this.station == null ? "SELECT * FROM weather_data WHERE station = [station]" : "SELECT * FROM weather_data WHERE station = " + this.station;
            elementContainer.addElement(new PRE(str));
        } catch (Exception e) {
            webSession.setMessage(getLabelManager().get("ErrorGenerating") + getClass().getName());
            e.printStackTrace();
        }
        if (this.station == null) {
            return elementContainer;
        }
        try {
            ResultSet executeQuery = DatabaseUtilities.getConnection(webSession).createStatement(1004, 1007).executeQuery(str);
            if (executeQuery == null || !executeQuery.first()) {
                elementContainer.addElement(getLabelManager().get("NoResultsMatched"));
            } else {
                elementContainer.addElement(DatabaseUtilities.writeTable(executeQuery, executeQuery.getMetaData()));
                executeQuery.last();
                if (executeQuery.getRow() > 1) {
                    makeSuccess(webSession);
                    getLessonTracker(webSession).setStage(2);
                    StringBuffer stringBuffer = new StringBuffer();
                    stringBuffer.append(getLabelManager().get("NumericSqlInjectionSecondStage"));
                    webSession.setMessage(stringBuffer.toString());
                }
            }
        } catch (SQLException e2) {
            elementContainer.addElement(new P().addElement(e2.getMessage()));
        }
        return elementContainer;
    }

    protected Element parameterizedQuery(WebSession webSession) {
        Connection connection;
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(getLabelManager().get("NumericSqlInjectionSecondStage2"));
        elementContainer.addElement(new BR());
        try {
            connection = DatabaseUtilities.getConnection(webSession);
            elementContainer.addElement(makeStationList(webSession));
            this.station = webSession.getParser().getRawParameter(STATION_ID, null);
            elementContainer.addElement(new PRE("SELECT * FROM weather_data WHERE station = ?"));
        } catch (Exception e) {
            webSession.setMessage("Error generating " + getClass().getName());
            e.printStackTrace();
        }
        if (this.station == null) {
            return elementContainer;
        }
        try {
            PreparedStatement prepareStatement = connection.prepareStatement("SELECT * FROM weather_data WHERE station = ?", 1004, 1007);
            prepareStatement.setInt(1, Integer.parseInt(this.station));
            ResultSet executeQuery = prepareStatement.executeQuery();
            if (executeQuery == null || !executeQuery.first()) {
                elementContainer.addElement(getLabelManager().get("NoResultsMatched"));
            } else {
                elementContainer.addElement(DatabaseUtilities.writeTable(executeQuery, executeQuery.getMetaData()));
                executeQuery.last();
                if (executeQuery.getRow() > 1) {
                    makeSuccess(webSession);
                }
            }
        } catch (NumberFormatException e2) {
            elementContainer.addElement(new P().addElement(getLabelManager().get("ErrorParsingAsNumber") + e2.getMessage()));
        } catch (SQLException e3) {
            elementContainer.addElement(new P().addElement(e3.getMessage()));
        }
        return elementContainer;
    }

    protected Element makeStationList(WebSession webSession) throws SQLException, ClassNotFoundException {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new P().addElement(getLabelManager().get("SelectYourStation")));
        Map<String, String> stations = getStations(webSession);
        Select select = new Select(STATION_ID);
        for (String str : stations.keySet()) {
            select.addElement(new Option(str).addElement(stations.get(str)));
        }
        elementContainer.addElement(select);
        elementContainer.addElement(new P());
        elementContainer.addElement(ECSFactory.makeButton(getLabelManager().get("Go!")));
        return elementContainer;
    }

    protected Map<String, String> getStations(WebSession webSession) throws SQLException, ClassNotFoundException {
        Connection connection = DatabaseUtilities.getConnection(webSession);
        TreeMap treeMap = new TreeMap();
        try {
            ResultSet executeQuery = connection.createStatement(1004, 1007).executeQuery("SELECT DISTINCT station, name FROM WEATHER_DATA");
            if (executeQuery != null && executeQuery.first()) {
                executeQuery.beforeFirst();
                while (executeQuery.next()) {
                    String string = executeQuery.getString(STATION_ID);
                    String string2 = executeQuery.getString("name");
                    if (!string.equals("10001") && !string.equals("11001")) {
                        treeMap.put(string, string2);
                    }
                }
                executeQuery.close();
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }
        return treeMap;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.INJECTION;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getLabelManager().get("SqlNumericInjectionHint1"));
        arrayList.add(getLabelManager().get("SqlNumericInjectionHint2"));
        arrayList.add(getLabelManager().get("SqlNumericInjectionHint3"));
        arrayList.add(getLabelManager().get("SqlNumericInjectionHint4"));
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return SQLInjection.STAGE3;
    }

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        try {
            super.handleRequest(webSession);
        } catch (Exception e) {
            e.printStackTrace(System.out);
        }
    }
}
