test

Author: li-xin-yi

app/src/main/AndroidManifest.xml

@@ -9,7 +9,9 @@
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.SQLinjectdemo">
-        <activity android:name=".Result"></activity>
+        <activity android:name=".AllEmployee"></activity>
+        <activity android:name=".DataViewer" />
+        <activity android:name=".Result" />
         <activity android:name=".MainActivity">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />

app/src/main/assets/fa-regular-400.ttf

@@ -0,0 +1,71 @@
+package com.example.sql_inject_demo;
+
+import androidx.appcompat.app.ActionBar;
+import androidx.appcompat.app.AppCompatActivity;
+import androidx.recyclerview.widget.LinearLayoutManager;
+import androidx.recyclerview.widget.RecyclerView;
+
+import android.database.Cursor;
+import android.os.Bundle;
+import android.view.View;
+import android.widget.TextView;
+
+import com.google.android.material.floatingactionbutton.FloatingActionButton;
+
+import java.util.ArrayList;
+
+public class AllEmployee extends AppCompatActivity {
+
+    DBHandler dbHandler;
+    ArrayList<Employee> employees;
+    RecyclerView recyclerView;
+    TextView noDataText;
+    CustomAdapter customAdapter;
+    FloatingActionButton returnButton;
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_all_employee);
+
+        ActionBar ab = getSupportActionBar();
+        if (ab!=null)
+        {
+            ab.setTitle("All Employees");
+        }
+
+        dbHandler = new DBHandler(AllEmployee.this,null,null,1);
+        recyclerView = findViewById(R.id.recycleViewer);
+        noDataText = findViewById(R.id.noDataText);
+        returnButton = findViewById(R.id.returnButton);
+        employees = new ArrayList<>();
+        storeEmployees();
+        customAdapter = new CustomAdapter(this,this,employees);
+        recyclerView.setAdapter(customAdapter);
+        recyclerView.setLayoutManager(new LinearLayoutManager(AllEmployee.this));
+        returnButton.setOnClickListener(v->{finish();});
+    }
+
+    protected void storeEmployees()
+    {
+        Cursor cursor = dbHandler.loadHandler();
+        if (cursor.getCount()==0)
+        {
+            noDataText.setVisibility(View.VISIBLE);
+        } else {
+            while (cursor.moveToNext()){
+                employees.add(new Employee(Integer.parseInt(cursor.getString(0)),
+                        cursor.getString(1),
+                        cursor.getString(2),
+                        cursor.getString(3),
+                        cursor.getString(4),
+                        cursor.getString(5),
+                        cursor.getString(6),
+                        cursor.getString(7),
+                        Integer.parseInt(cursor.getString(8)),
+                        cursor.getString(9)
+                ));
+            }
+        }
+    }
+}

app/src/main/assets/fa-solid-900.ttf

@@ -0,0 +1,109 @@
+package com.example.sql_inject_demo;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.graphics.Typeface;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.view.animation.Animation;
+import android.view.animation.AnimationUtils;
+import android.widget.LinearLayout;
+import android.widget.TextView;
+
+import androidx.annotation.NonNull;
+import androidx.recyclerview.widget.RecyclerView;
+
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.zip.Inflater;
+
+public class CustomAdapter extends RecyclerView.Adapter<CustomAdapter.MyViewHolder> {
+
+    private Context context;
+    private Activity activity;
+    private ArrayList<Employee> employees;
+
+    String id_icon,phone_icon,birthday_icon,email_icon,address_icon;
+
+    public CustomAdapter(Context context, Activity activity, ArrayList<Employee> employees) {
+        this.context = context;
+        this.activity = activity;
+        this.employees = employees;
+        id_icon = context.getResources().getString(R.string.id_card_icon);
+        phone_icon = context.getResources().getString(R.string.phone_icon);
+        birthday_icon = context.getResources().getString(R.string.birthday_icon);
+        email_icon = context.getResources().getString(R.string.email_icon);
+        address_icon = context.getResources().getString(R.string.address_icon);
+    }
+
+    @NonNull
+    @Override
+    public MyViewHolder onCreateViewHolder(@NonNull ViewGroup parent, int viewType) {
+        LayoutInflater inflater = LayoutInflater.from(context);
+
+        View view = inflater.inflate(R.layout.activity_data_viewer,parent,false);
+        return new MyViewHolder(view);
+    }
+
+    @Override
+    public void onBindViewHolder(@NonNull CustomAdapter.MyViewHolder holder, int position) {
+        DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
+        holder.nameViewer.setText(employees.get(position).getName());
+        holder.idViewer.setText(id_icon+"  " +String.valueOf(employees.get(position).getId()));
+        holder.ssnViewer.setText("SSN:"+employees.get(position).getSsn());
+        holder.salaryViewer.setText("($"+String.valueOf(employees.get(position).getSalary())+"/yr)");
+        holder.nicknameViwer.setText(employees.get(position).getNickname());
+        holder.addressViewer.setText(address_icon+ "  " + employees.get(position).getAddress());
+        holder.phoneViwer.setText(phone_icon+"  " + employees.get(position).getPhone());
+        holder.emailViewer.setText(email_icon+"  " + employees.get(position).getEmail());
+        holder.birthdayViewer.setText(birthday_icon+"  " + dateFormat.format(employees.get(position).getBirthday()));
+        holder.mainLayout.setOnClickListener(v -> {
+            Intent intent = new Intent(context, Result.class);
+            intent.putExtra("admin",true);
+            intent.putExtra("employee",employees.get(position));
+            activity.startActivity(intent);
+        });
+    }
+
+    @Override
+    public int getItemCount() {
+        return employees.size();
+    }
+
+    class MyViewHolder extends RecyclerView.ViewHolder {
+        TextView nameViewer, idViewer, ssnViewer, salaryViewer, nicknameViwer, phoneViwer, addressViewer, emailViewer, birthdayViewer;
+        LinearLayout mainLayout;
+        Typeface solidFont,regularFont;
+
+        MyViewHolder(@NonNull View itemViewer)
+        {
+            super(itemViewer);
+
+            solidFont = Typeface.createFromAsset(context.getAssets(), "fa-solid-900.ttf" );
+            regularFont = Typeface.createFromAsset(context.getAssets(), "fa-regular-400.ttf" );
+
+            nameViewer = itemViewer.findViewById(R.id.nameViewer);
+            idViewer = itemViewer.findViewById(R.id.idViewer);
+            ssnViewer = itemViewer.findViewById(R.id.ssnViewer);
+            salaryViewer = itemViewer.findViewById(R.id.salaryViewer);
+            nicknameViwer = itemViewer.findViewById(R.id.nicknameViewer);
+            phoneViwer = itemViewer.findViewById(R.id.phoneViewer);
+            addressViewer = itemViewer.findViewById(R.id.addressViewer);
+            emailViewer = itemViewer.findViewById(R.id.emailViewer);
+            birthdayViewer = itemViewer.findViewById(R.id.birthdayViewer);
+            mainLayout = itemViewer.findViewById(R.id.mainLayout);
+
+            Animation translateAnimation = AnimationUtils.loadAnimation(context,R.anim.translate_anim);
+            mainLayout.setAnimation(translateAnimation);
+
+            idViewer.setTypeface(regularFont);
+            phoneViwer.setTypeface(solidFont);
+            addressViewer.setTypeface(solidFont);
+            birthdayViewer.setTypeface(solidFont);
+            emailViewer.setTypeface(regularFont);
+        }
+    }
+}

app/src/main/java/com/example/sql_inject_demo/AllEmployee.java

@@ -16,14 +16,13 @@ public class DBHandler extends SQLiteOpenHelper {
     private static final String TABLE_NAME = "employee";
 
 
-
     public DBHandler(Context context, String name, SQLiteDatabase.CursorFactory factory, int version) {
         super(context, DB_NAME, factory, DB_VERSION);
     }
 
     @Override
-    public void onCreate(SQLiteDatabase db){
-        String SQL_CREATE_TABLE = "CREATE TABLE "+ TABLE_NAME + "( ID INTEGER,"
+    public void onCreate(SQLiteDatabase db) {
+        String SQL_CREATE_TABLE = "CREATE TABLE " + TABLE_NAME + "( ID INTEGER,"
                 + "NAME TEXT,"
                 + "PASSWORD TEXT,"
                 + "SSN TEXT,"
@@ -34,47 +33,42 @@ public void onCreate(SQLiteDatabase db){
                 + "SALARY INTEGER,"
                 + "BIRTHDAY DATE)";
         db.execSQL(SQL_CREATE_TABLE);
-        addHandler(db, new Employee(99999,"Admin","seedadmin","43254314",
-                "","","","",400000,"1990-03-05"));
-        addHandler(db, new Employee(10000,"Alice","seedalice","10211002",
-                "","","","",20000,"2000-09-20"));
-        addHandler(db, new Employee(20000,"Boby","seedboby","10213352",
-                "","","","",50000,"2000-04-20"));
-        addHandler(db, new Employee(30000,"Ryan","seedryan","32193525",
-                "","","","",90000,"2000-04-10"));
-        addHandler(db, new Employee(30000,"Samy","seedsamy","32111111",
-                "","","","",40000,"2000-01-11"));
-        addHandler(db, new Employee(40000,"Ted","seedted","24343244",
-                "","","","",110000,"2000-11-3"));
+        addHandler(db, new Employee(99999, "Admin", "admin", "43254314",
+                "Ad", "(403)220-1191", "admin@hogwarts.edu", "Gryffindor House", 400000, "1990-03-05"));
+        addHandler(db, new Employee(10000, "Alice", "alice", "10211002",
+                "Ali", "(400)210-2112", "alice@hogwarts.edu", "Gryffindor House", 20000, "2000-09-20"));
+        addHandler(db, new Employee(20000, "Boby", "boby", "10213352",
+                "Bob", "(404)789-2313", "boby@hogwarts.edu", "Hufflepuff House", 50000, "2000-04-20"));
+        addHandler(db, new Employee(30000, "Ryan", "ryan", "32193525",
+                "Ryanny", "(210)096-3287", "ryan@hogwarts.edu", "Ravenclaw House", 90000, "2000-04-10"));
+        addHandler(db, new Employee(40000, "Samy", "samy", "32111111",
+                "Sam", "(450)218-8876", "samy@hogwarts.edu", "Slytherin", 40000, "2000-01-11"));
+        addHandler(db, new Employee(50000, "Ted", "ted", "24343244",
+                "Teddy", "(208)222-8712", "ted@hogwarts.edu", "Azkaban", 110000, "2000-11-3"));
     }
 
     @Override
-    public void onUpgrade(SQLiteDatabase db, int i, int i1)
-    {
-        db.execSQL("DROP TABLE IF EXISTS "+ TABLE_NAME);
+    public void onUpgrade(SQLiteDatabase db, int i, int i1) {
+        db.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);
         onCreate(db);
     }
 
-    public Cursor loadHandler()
-    {
+    public Cursor loadHandler() {
         String query = "SELECT * FROM " + TABLE_NAME;
         Cursor cursor = null;
-        SQLiteDatabase db = this.getWritableDatabase();
-        if (db != null)
-        {
-            cursor = db.rawQuery(query,null);
-            db.close();
+        SQLiteDatabase db = this.getReadableDatabase();
+        if (db != null) {
+            cursor = db.rawQuery(query, null);
+//            db.close();
         }
 
         return cursor;
     }
 
-    public void addHandler(SQLiteDatabase db, Employee employee)
-    {
+    public void addHandler(SQLiteDatabase db, Employee employee) {
         DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
         ContentValues values = new ContentValues();
-        if (db!=null)
-        {
+        if (db != null) {
             values.put("ID", employee.getId());
             values.put("NAME", employee.getName());
             values.put("PASSWORD", employee.getPassword());
@@ -89,13 +83,12 @@ public void addHandler(SQLiteDatabase db, Employee employee)
         }
     }
 
-    public Employee findHandler(String username, String password)
-    {
-        String query = "SELECT * FROM " + TABLE_NAME + " WHERE NAME='" + username + "' AND PASSWORD='" + password+"'";
-        SQLiteDatabase db = this.getWritableDatabase();
-        Employee employee= null;
-        Cursor cursor = db.rawQuery(query,null);
-        if (cursor!=null && cursor.getCount()>0 && cursor.moveToFirst()) {
+    public Employee findHandler(String username, String password) {
+        String query = "SELECT * FROM " + TABLE_NAME + " WHERE NAME='" + username + "' AND PASSWORD='" + password + "'";
+        SQLiteDatabase db = this.getReadableDatabase();
+        Employee employee = null;
+        Cursor cursor = db.rawQuery(query, null);
+        if (cursor != null && cursor.getCount() > 0 && cursor.moveToFirst()) {
             employee = new Employee(Integer.parseInt(cursor.getString(0)),
                     cursor.getString(1),
                     cursor.getString(2),
@@ -106,16 +99,16 @@ public Employee findHandler(String username, String password)
                     cursor.getString(7),
                     Integer.parseInt(cursor.getString(8)),
                     cursor.getString(9)
-                    );
+            );
             cursor.close();
         }
         db.close();
         return employee;
     }
 
-    public boolean updateHandler(Employee employee)
-    {
-        String UPDATE_SQL_COMMAND = String.format("UPDATE %s SET NICKNAME=%s, EMAIL=%s, ADDRESS=%s, PASSWORD=%s, PHONE=%s WHERE ID=%s RETURNING *",
+    public void partialUpdateHandler(Employee employee) {
+        // invoked by user, update some optional fields
+        String UPDATE_SQL_COMMAND = String.format("UPDATE %s SET NICKNAME='%s', EMAIL='%s', ADDRESS='%s', PASSWORD='%s', PHONE='%s' WHERE ID=%s",
                 TABLE_NAME,
                 employee.getNickname(),
                 employee.getEmail(),
@@ -124,9 +117,25 @@ public boolean updateHandler(Employee employee)
                 employee.getPhone(),
                 employee.getId());
         SQLiteDatabase db = this.getWritableDatabase();
-        Cursor cursor = db.rawQuery(UPDATE_SQL_COMMAND,null);
-        cursor.close();
-        return cursor.getCount()==1;
+        db.execSQL(UPDATE_SQL_COMMAND);
+    }
+
+    public boolean fullUpdateHandler(Employee employee)
+    {
+//        invoked by admin, update all fields except ID
+        DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
+        SQLiteDatabase db = this.getWritableDatabase();
+        ContentValues values = new ContentValues();
+        values.put("NAME", employee.getName());
+        values.put("PASSWORD", employee.getPassword());
+        values.put("SSN", employee.getSsn());
+        values.put("NICKNAME", employee.getNickname());
+        values.put("PHONE", employee.getPhone());
+        values.put("SALARY", employee.getSalary());
+        values.put("ADDRESS", employee.getAddress());
+        values.put("EMAIL", employee.getEmail());
+        values.put("BIRTHDAY", dateFormat.format(employee.getBirthday()));
+        return -1!=db.update(TABLE_NAME,values,"ID=?", new String[]{String.valueOf(employee.getId())});
     }
 
 }

app/src/main/java/com/example/sql_inject_demo/CustomAdapter.java

@@ -0,0 +1,14 @@
+package com.example.sql_inject_demo;
+
+import androidx.appcompat.app.AppCompatActivity;
+
+import android.os.Bundle;
+
+public class DataViewer extends AppCompatActivity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_data_viewer);
+    }
+}

app/src/main/java/com/example/sql_inject_demo/DBHandler.java

@@ -1,11 +1,12 @@
 package com.example.sql_inject_demo;
 
+import java.io.Serializable;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
 
-public class Employee {
+public class Employee implements Serializable {
     private String name, password, ssn, nickname, phone, email, address;
     private int salary,id;
     private Date birthday;