package org.owasp.webgoat.plugin.db_cross_site;

import java.sql.CallableStatement;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Employee;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/db-cross-site-scripting-1.0.jar:org/owasp/webgoat/plugin/db_cross_site/UpdateProfileDBCrossSiteScripting.class */
public class UpdateProfileDBCrossSiteScripting extends DefaultLessonAction {
    private LessonAction chainedAction;

    public UpdateProfileDBCrossSiteScripting(GoatHillsFinancial goatHillsFinancial, String str, String str2, LessonAction lessonAction) {
        super(goatHillsFinancial, str, str2);
        this.chainedAction = lessonAction;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction, org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction
    public void handleRequest(WebSession webSession) throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException {
        if (!isAuthenticated(webSession)) {
            throw new UnauthenticatedException();
        }
        int intSessionAttribute = getIntSessionAttribute(webSession, getLessonName() + "." + GoatHillsFinancial.USER_ID);
        HttpServletRequest request = webSession.getRequest();
        int parseInt = Integer.parseInt(request.getParameter(GoatHillsFinancial.EMPLOYEE_ID));
        String parameter = request.getParameter(GoatHillsFinancial.FIRST_NAME);
        String parameter2 = request.getParameter(GoatHillsFinancial.LAST_NAME);
        String parameter3 = request.getParameter(GoatHillsFinancial.SSN);
        String parameter4 = request.getParameter("title");
        String parameter5 = request.getParameter(GoatHillsFinancial.PHONE_NUMBER);
        String parameter6 = request.getParameter(GoatHillsFinancial.ADDRESS1);
        Employee employee = new Employee(parseInt, parameter, parameter2, parameter3, parameter4, parameter5, parameter6, request.getParameter(GoatHillsFinancial.ADDRESS2), Integer.parseInt(request.getParameter("manager")), request.getParameter(GoatHillsFinancial.START_DATE), Integer.parseInt(request.getParameter(GoatHillsFinancial.SALARY)), request.getParameter(GoatHillsFinancial.CCN), Integer.parseInt(request.getParameter(GoatHillsFinancial.CCN_LIMIT)), request.getParameter(GoatHillsFinancial.DISCIPLINARY_DATE), request.getParameter(GoatHillsFinancial.DISCIPLINARY_NOTES), request.getParameter("description"));
        try {
            if (parseInt > 0) {
                changeEmployeeProfile(webSession, intSessionAttribute, parseInt, employee);
                setRequestAttribute(webSession, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(parseInt));
                if ("Stored XSS".equals(getStage(webSession))) {
                    String lowerCase = parameter6.toLowerCase();
                    if (lowerCase.contains("<script>") & lowerCase.contains("alert") & lowerCase.contains("</script>")) {
                        setStageComplete(webSession, "Stored XSS");
                    }
                }
            } else {
                createEmployeeProfile(webSession, intSessionAttribute, employee);
            }
        } catch (SQLException e) {
            webSession.setMessage("Error updating employee profile");
            e.printStackTrace();
            if (DBCrossSiteScripting.STAGE2.equals(getStage(webSession)) && ((e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters")) && !employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))) {
                setStageComplete(webSession, DBCrossSiteScripting.STAGE2);
            }
        }
        try {
            this.chainedAction.handleRequest(webSession);
        } catch (UnauthenticatedException e2) {
            e2.printStackTrace();
        } catch (UnauthorizedException e3) {
            e3.printStackTrace();
        }
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction, org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction
    public String getNextPage(WebSession webSession) {
        return GoatHillsFinancial.VIEWPROFILE_ACTION;
    }

    public void changeEmployeeProfile(WebSession webSession, int i, int i2, Employee employee) throws SQLException {
        CallableStatement prepareCall = WebSession.getConnection(webSession).prepareCall(" { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }");
        prepareCall.setInt(1, i);
        prepareCall.setString(2, employee.getFirstName());
        prepareCall.setString(3, employee.getLastName());
        prepareCall.setString(4, employee.getSsn());
        prepareCall.setString(5, employee.getTitle());
        prepareCall.setString(6, employee.getPhoneNumber());
        prepareCall.setString(7, employee.getAddress1());
        prepareCall.setString(8, employee.getAddress2());
        prepareCall.setInt(9, employee.getManager());
        prepareCall.setString(10, employee.getStartDate());
        prepareCall.setInt(11, employee.getSalary());
        prepareCall.setString(12, employee.getCcn());
        prepareCall.setInt(13, employee.getCcnLimit());
        prepareCall.setString(14, employee.getDisciplinaryActionDate());
        prepareCall.setString(15, employee.getDisciplinaryActionNotes());
        prepareCall.setString(16, employee.getPersonalDescription());
        prepareCall.executeUpdate();
    }

    public void createEmployeeProfile(WebSession webSession, int i, Employee employee) throws UnauthorizedException {
        try {
            try {
                PreparedStatement prepareStatement = WebSession.getConnection(webSession).prepareStatement("INSERT INTO employee VALUES ( " + getNextUID(webSession) + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
                prepareStatement.setString(1, employee.getFirstName().toLowerCase());
                prepareStatement.setString(2, employee.getLastName());
                prepareStatement.setString(3, employee.getSsn());
                prepareStatement.setString(4, employee.getTitle());
                prepareStatement.setString(5, employee.getPhoneNumber());
                prepareStatement.setString(6, employee.getAddress1());
                prepareStatement.setString(7, employee.getAddress2());
                prepareStatement.setInt(8, employee.getManager());
                prepareStatement.setString(9, employee.getStartDate());
                prepareStatement.setString(10, employee.getCcn());
                prepareStatement.setInt(11, employee.getCcnLimit());
                prepareStatement.setString(12, employee.getDisciplinaryActionDate());
                prepareStatement.setString(13, employee.getDisciplinaryActionNotes());
                prepareStatement.setString(14, employee.getPersonalDescription());
                prepareStatement.execute();
            } catch (SQLException e) {
                webSession.setMessage("Error updating employee profile");
                e.printStackTrace();
            }
        } catch (Exception e2) {
            webSession.setMessage("Error updating employee profile");
            e2.printStackTrace();
        }
    }

    private int getNextUID(WebSession webSession) {
        int i = -1;
        try {
            ResultSet executeQuery = WebSession.getConnection(webSession).createStatement(1004, 1007).executeQuery("select max(userid) as uid from employee");
            executeQuery.first();
            i = executeQuery.getInt("uid");
        } catch (SQLException e) {
            e.printStackTrace();
            webSession.setMessage("Error updating employee profile");
        }
        return i + 1;
    }
}
