Update IgnoreCommand.java

[sa-ny]

No description provided.

[github-actions]

Caution

Breaking Flaws identified in code!

Fixes for test/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java:
Falws found for this file:
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 47 for issue 1021
CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 39 for issue 1172
CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 46 for issue 1162
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 40 for issue 1026

Fix suggestions:

--- test/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ test/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@
 
 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.net.URLEncoder;
 //.....
 public class IgnoreCommand implements BlabberCommand {
 	private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -24,7 +25,7 @@
 
 	@Override
 	public void execute(String blabberUsername) {
-		String sqlQuery = "DELETE FROM listeners WHERE blabber=? AND listener=?;";
+		String sqlQuery = URLEncoder.encode("DELETE FROM listeners WHERE blabber=? AND listener=?;".toString());
 		logger.info(sqlQuery);
 		PreparedStatement action;
 		try {
@@ -41,10 +42,11 @@
 			result.next();
 
 			/* START EXAMPLE VULNERABILITY */
-			String event = username + " is now ignoring " + blabberUsername + " (" + result.getString(1) + ")";
+			String event = username + " is now ignoring " + blabberUsername + " (?)";
 			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
 			logger.info(sqlQuery);
 			sqlStatement.execute(sqlQuery);
+			statement.setString(1, result.getString(1));
 			/* END EXAMPLE VULNERABILITY */
 		} catch (SQLException e) {
 			// TODO Auto-generated catch block