package org.owasp.webgoat.plugin;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/sql-string-injection-1.0.jar:org/owasp/webgoat/plugin/SqlStringInjection.class */
public class SqlStringInjection extends SequentialLessonAdapter {
    private static final String ACCT_NAME = "account_name";
    private String accountName;
    private static String STAGE = WebSession.STAGE;
    private static final Integer DEFAULT_RANKING = new Integer(75);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        return super.createStagedContent(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage1(WebSession webSession) throws Exception {
        return injectableQuery(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage2(WebSession webSession) throws Exception {
        return parameterizedQuery(webSession);
    }

    protected Element injectableQuery(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        try {
            Connection connection = DatabaseUtilities.getConnection(webSession);
            elementContainer.addElement(makeAccountLine(webSession));
            String str = "SELECT * FROM user_data WHERE last_name = '" + this.accountName + "'";
            elementContainer.addElement(new PRE(str));
            try {
                ResultSet executeQuery = connection.createStatement(1004, 1007).executeQuery(str);
                if (executeQuery == null || !executeQuery.first()) {
                    elementContainer.addElement(getLabelManager().get("NoResultsMatched"));
                } else {
                    elementContainer.addElement(DatabaseUtilities.writeTable(executeQuery, executeQuery.getMetaData()));
                    executeQuery.last();
                    if (executeQuery.getRow() >= 6) {
                        makeSuccess(webSession);
                        getLessonTracker(webSession).setStage(2);
                        StringBuffer stringBuffer = new StringBuffer();
                        stringBuffer.append(getLabelManager().get("StringSqlInjectionSecondStage"));
                        webSession.setMessage(stringBuffer.toString());
                    }
                }
            } catch (SQLException e) {
                elementContainer.addElement(new P().addElement(e.getMessage()));
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage(getLabelManager().get("ErrorGenerating") + getClass().getName());
            e2.printStackTrace();
        }
        return elementContainer;
    }

    protected Element parameterizedQuery(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
        if (webSession.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart")) {
            getLessonTracker(webSession).getLessonProperties().setProperty(STAGE, "1");
            return injectableQuery(webSession);
        }
        elementContainer.addElement(new BR());
        try {
            Connection connection = DatabaseUtilities.getConnection(webSession);
            elementContainer.addElement(makeAccountLine(webSession));
            elementContainer.addElement(new PRE("SELECT * FROM user_data WHERE last_name = ?"));
            try {
                PreparedStatement prepareStatement = connection.prepareStatement("SELECT * FROM user_data WHERE last_name = ?", 1004, 1007);
                prepareStatement.setString(1, this.accountName);
                ResultSet executeQuery = prepareStatement.executeQuery();
                if (executeQuery == null || !executeQuery.first()) {
                    elementContainer.addElement(getLabelManager().get("NoResultsMatched"));
                } else {
                    elementContainer.addElement(DatabaseUtilities.writeTable(executeQuery, executeQuery.getMetaData()));
                    executeQuery.last();
                    if (executeQuery.getRow() >= 6) {
                        makeSuccess(webSession);
                    }
                }
            } catch (SQLException e) {
                elementContainer.addElement(new P().addElement(e.getMessage()));
            }
        } catch (Exception e2) {
            webSession.setMessage(getLabelManager().get("ErrorGenerating") + getClass().getName());
            e2.printStackTrace();
        }
        return elementContainer;
    }

    protected Element makeAccountLine(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
        this.accountName = webSession.getParser().getRawParameter(ACCT_NAME, "Your Name");
        elementContainer.addElement(new Input("TEXT", ACCT_NAME, this.accountName.toString()));
        elementContainer.addElement(ECSFactory.makeButton(getLabelManager().get("Go!")));
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.INJECTION;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getLabelManager().get("SqlStringInjectionHint1"));
        arrayList.add(getLabelManager().get("SqlStringInjectionHint2"));
        arrayList.add(getLabelManager().get("SqlStringInjectionHint3"));
        arrayList.add(getLabelManager().get("SqlStringInjectionHint4"));
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "String SQL Injection";
    }
}
