Skip to content

🔒 Fix SQL Injection in MainController.java#101

Open
G30RG3-GJ wants to merge 1 commit intomasterfrom
fix-sql-injection-maincontroller-6378433451357861885
Open

🔒 Fix SQL Injection in MainController.java#101
G30RG3-GJ wants to merge 1 commit intomasterfrom
fix-sql-injection-maincontroller-6378433451357861885

Conversation

@G30RG3-GJ
Copy link
Owner

@G30RG3-GJ G30RG3-GJ commented Feb 19, 2026

This PR fixes multiple SQL injection vulnerabilities in MainController.java by introducing parameterized query support in DatabaseHandler.java.

Changes:

  1. DatabaseHandler.java:
    • Added execAction(String query, Object... params) using PreparedStatement.
    • Added execQuery(String query, Object... params) using PreparedStatement.
    • Fixed inflateDB to correctly load tables.xml resource using DatabaseHandler.class.getResourceAsStream instead of .getClass().getResourceAsStream.
  2. MainController.java:
    • Refactored loadSubmissionOp, loadMemberInfo, loadIssueOperation, loadBookInfo2, and loadRenewOp to use the new parameterized methods.
  3. Tests:
    • Added test/library/assistant/database/DatabaseHandlerExecTest.java to verify parameterized execution and SQL injection prevention.
    • Added stubs in test/stubs to allow compilation of DatabaseHandler in the headless test environment.

Security Impact:

  • Eliminates SQL injection vectors where user input (Book ID, Member ID) was directly concatenated into SQL strings.
  • Uses PreparedStatement which treats parameters as literal values, neutralizing injection payloads.

Verification:

  • DatabaseHandlerExecTest passes, confirming that execAction works with parameters and that SQL injection attempts (e.g. ' OR '1'='1) are ineffective.

PR created automatically by Jules for task 6378433451357861885 started by @G30RG3-GJ

@google-labs-jules @G30RG3-GJ
Fix SQL Injection in MainController and DatabaseHandler
91c871a 
Refactored DatabaseHandler to support parameterized queries using PreparedStatement.
Updated MainController to use parameterized execAction and execQuery methods, eliminating SQL injection vulnerabilities in:
- loadSubmissionOp
- loadMemberInfo
- loadIssueOperation
- loadBookInfo2
- loadRenewOp

Also fixed a resource loading bug in DatabaseHandler where tables.xml was loaded incorrectly.

Added DatabaseHandlerExecTest and necessary stubs for verification.

Co-authored-by: G30RG3-GJ <203693057+G30RG3-GJ@users.noreply.github.com>
@google-labs-jules
Copy link

google-labs-jules bot commented Feb 19, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@G30RG3-GJ