Archiviert
1
0

Rework SQL statements to actually use PreparedStatements for security reasons

Dieser Commit ist enthalten in:
Lixfel 2020-02-10 07:51:01 +01:00
Ursprung 583760c036
Commit ec7d1c34d2
11 geänderte Dateien mit 85 neuen und 114 gelöschten Zeilen

Datei anzeigen

@ -20,7 +20,7 @@ public class BannedUserIPs {
public static List<BannedUserIPs> get(int userID){
List<BannedUserIPs> userIPs = new ArrayList<>();
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = '" + userID + "' ORDER BY Timestamp ASC");
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = ? ORDER BY Timestamp ASC", userID);
try {
while(dbentry.next()){
userIPs.add(new BannedUserIPs(
@ -35,7 +35,7 @@ public class BannedUserIPs {
public static List<BannedUserIPs> get(String ip){
List<BannedUserIPs> userIDs = new ArrayList<>();
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = '" + ip + "' ORDER BY Timestamp DESC");
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = ? ORDER BY Timestamp DESC", ip);
try {
while(dbentry.next()){
userIDs.add(new BannedUserIPs(
@ -49,12 +49,7 @@ public class BannedUserIPs {
}
static void banIP(SteamwarUser user, String ip){
SQL.update("INSERT INTO BannedUserIPs\n" +
" (UserID, Timestamp, IP)\n" +
"VALUES\n" +
" (" + user.getId() + ", NOW(), '" + ip + "')\n" +
"ON DUPLICATE KEY UPDATE\n" +
" Timestamp=NOW()");
SQL.update("INSERT INTO BannedUserIPs (UserID, Timestamp, IP) VALUES (?, NOW(), ?) ON DUPLICATE KEY UPDATE Timestamp=NOW()", user.getId(), ip);
}
public int getUserID() {

Datei anzeigen

@ -39,12 +39,8 @@ public class BauweltMember{
}
private void updateDB(){
SQL.update("INSERT INTO BauweltMember" +
" (BauweltID, MemberID, Build, WorldEdit, World)" +
" VALUES" +
" ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" +
" ON DUPLICATE KEY UPDATE" +
" Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)");
SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)",
bauweltID, memberID, build, worldEdit, world);
}
public static BauweltMember getBauMember(UUID ownerID, UUID memberID){
@ -52,7 +48,7 @@ public class BauweltMember{
}
public static BauweltMember getBauMember(int ownerID, int memberID){
ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'");
ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID);
try {
if(member == null || !member.next()){
return null;
@ -73,7 +69,7 @@ public class BauweltMember{
public static List<BauweltMember> getMembers(int bauweltID){
try{
ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'");
ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID);
List<BauweltMember> members = new ArrayList<>();
while(memberlist.next()){
int memberID = memberlist.getInt("MemberID");

Datei anzeigen

@ -20,13 +20,13 @@ public class Event {
private static Event current = null;
private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){
this.eventID = eventID;
this.eventName = eventName;
this.start = start;
this.end = end;
this.maximumTeamMembers = maximumTeamMembers;
this.publicSchemsOnly = publicSchemsOnly;
private Event(ResultSet rs) throws SQLException{
this.eventID = rs.getInt("EventID");
this.eventName = rs.getString("EventName");
this.start = rs.getTimestamp("Start");
this.end = rs.getTimestamp("End");
this.maximumTeamMembers = rs.getInt("MaximumTeamMembers");
this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly");
}
public static Event get(){
@ -40,7 +40,7 @@ public class Event {
return null;
}
current = new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"));
current = new Event(rs);
return current;
}catch (SQLException e){
BungeeCore.log("Failed to load current Event", e);
@ -54,7 +54,7 @@ public class Event {
if(!rs.next())
throw new IllegalArgumentException();
return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"));
return new Event(rs);
}catch (SQLException e){
BungeeCore.log("Failed to load Event", e);
throw new SecurityException();
@ -62,12 +62,12 @@ public class Event {
}
public static Event get(String eventName){
ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = '" + SQL.disarmString(eventName.toLowerCase()) + "'");
ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = ?", eventName.toLowerCase());
try{
if(!rs.next())
return null;
return new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"));
return new Event(rs);
}catch (SQLException e){
BungeeCore.log("Failed to load Event by name", e);
throw new SecurityException();
@ -79,7 +79,7 @@ public class Event {
ResultSet rs = SQL.select("SELECT * FROM Event WHERE Start > now()");
try{
while(rs.next())
events.add(new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")));
events.add(new Event(rs));
}catch (SQLException e){
BungeeCore.log("Failed to load Events", e);
}

Datei anzeigen

@ -38,7 +38,7 @@ public class EventFight implements Comparable<EventFight> {
public void reschedule(){
startTime = Timestamp.from(new Date().toInstant().plus(30, SECONDS));
SQL.update("UPDATE EventFight SET StartTime = '" + startTime.toString() + "' WHERE EventID = " + eventID + " AND FightID = " + fightID);
SQL.update("UPDATE EventFight SET StartTime = ? WHERE EventID = ? AND FightID = ?", startTime, eventID, fightID);
}
public static void loadAllComingFights(){
@ -54,7 +54,7 @@ public class EventFight implements Comparable<EventFight> {
}
public static List<EventFight> getEvent(int eventID){
ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = " + eventID + " ORDER BY `StartTime` ASC");
ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = ? ORDER BY `StartTime` ASC", eventID);
List<EventFight> fights = new LinkedList<>();
try{
while(rs.next())

Datei anzeigen

@ -17,8 +17,7 @@ public class Mod {
}
public static Mod get(String modName, Platform platform){
modName = SQL.disarmString(modName);
ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = '" + modName + "' AND Platform = " + platform.value);
ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = ? AND Platform = ?", modName, platform.value);
try{
if(rs.next())
return new Mod(modName, platform, ModType.valueOf(rs.getInt("ModType")));
@ -26,7 +25,7 @@ public class Mod {
BungeeCore.log("Failed to load Mod", e);
throw new SecurityException();
}
SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")");
SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")", modName, platform.value);
return new Mod(modName, platform, ModType.UNKLASSIFIED);
}

Datei anzeigen

@ -23,7 +23,7 @@ public class PollAnswer {
}
public static PollAnswer get(int userID){
ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = " + userID + " AND Question = '" + PollSystem.getQuestion() + "'");
ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = ? AND Question = ?", userID, PollSystem.getQuestion());
try {
if(!rs.next())
return new PollAnswer(userID, PollSystem.getQuestion());
@ -40,6 +40,6 @@ public class PollAnswer {
public void setAnswer(int answer){
this.answer = answer;
SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (" + userID + ",'" + question + "'," + answer + ") ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)");
SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)", userID, question, answer);
}
}

Datei anzeigen

@ -41,60 +41,55 @@ public class SQL {
}
}
private static void sqlException(){
close();
connect(url, weburl, user, password);
}
static void update(String qry) {
try (PreparedStatement st = con.prepareStatement(qry)) {
st.executeUpdate();
static void update(String qry, Object... objects) {
try {
prepare(con, qry, objects).executeUpdate();
} catch (SQLException e) {
sqlException();
try (PreparedStatement st = con.prepareStatement(qry)) {
st.executeUpdate();
} catch (SQLException ex) {
BungeeCore.log("Could not execute update statement", ex);
throw new SecurityException("Could not execute update statement", ex);
}
}
}
static void webupdate(String qry) {
try (PreparedStatement st = webcon.prepareStatement(qry)) {
st.executeUpdate();
} catch (SQLException e) {
sqlException();
try (PreparedStatement st = webcon.prepareStatement(qry)) {
st.executeUpdate();
} catch (SQLException ex) {
BungeeCore.log("Could not execute update statement", ex);
}
}
}
static ResultSet select(String qry){
try{
PreparedStatement st = con.prepareStatement(qry);
return st.executeQuery();
static void webupdate(String qry, Object... objects) {
try {
prepare(webcon, qry, objects).executeUpdate();
} catch (SQLException e) {
sqlException();
try {
PreparedStatement st = con.prepareStatement(qry);
return st.executeQuery();
prepare(webcon, qry, objects).executeUpdate();
} catch (SQLException ex) {
throw new SecurityException("Could not execute update statement", ex);
}
}
}
static ResultSet select(String qry, Object... objects){
try{
return prepare(con, qry, objects).executeQuery();
} catch (SQLException e) {
sqlException();
try {
return prepare(con, qry, objects).executeQuery();
} catch (SQLException ex) {
throw new SecurityException("Could not run Select-Statement", ex);
}
}
}
static String disarmString(String s){
return s.replace("'", "");
private static PreparedStatement prepare(Connection connection, String qry, Object... objects) throws SQLException{
PreparedStatement st = connection.prepareStatement(qry);
for(int i = 0; i < objects.length; i++){
st.setObject(i+1, objects);
}
return st;
}
static Integer booleanToInt(boolean b){
if(b)
return 1;
else
return 0;
private static void sqlException(){
close();
connect(url, weburl, user, password);
}
}

Datei anzeigen

@ -14,6 +14,6 @@ public class Session {
}
public void stopSession(){
SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES ("+ userID + ", '" + startTime.toString() + "', NOW())");
SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES (?, ?, NOW())", userID, startTime);
}
}

Datei anzeigen

@ -30,7 +30,6 @@ public class SteamwarUser {
private static final Map<UUID, SteamwarUser> usersByUUID = new HashMap<>();
private static final Map<Integer, SteamwarUser> usersById = new HashMap<>();
private static final Timestamp PERMA_BAN = Timestamp.from(Instant.ofEpochSecond(946684800));
private static final String SELECT_UUID = "SELECT * FROM UserData WHERE UUID = '";
private SteamwarUser(ResultSet rs) throws SQLException {
id = rs.getInt("id");
@ -51,14 +50,14 @@ public class SteamwarUser {
SteamwarUser user = SteamwarUser.get(connection.getUniqueId());
if(user != null){
String userName = SQL.disarmString(connection.getName());
String userName = connection.getName();
if(!user.userName.equals(userName)){
SQL.update("UPDATE UserData SET UserName = '" + userName + "' WHERE id = " + user.id);
SQL.update("UPDATE UserData SET UserName = ? WHERE id = ?", userName, user.id);
user.userName = userName;
}
}else{
SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES ('" + connection.getUniqueId() + "', '" + connection.getName() + "', 'Member')");
user = dbInit(SQL.select(SELECT_UUID + connection.getUniqueId().toString() + "'"));
SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES (?, ?, 'Member')", connection.getUniqueId().toString(), connection.getName());
user = dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", connection.getUniqueId()));
if(user == null)
throw new SecurityException("user == null");
}
@ -67,16 +66,16 @@ public class SteamwarUser {
}
public static SteamwarUser get(String userName){
userName = SQL.disarmString(userName).toLowerCase();
userName = userName.toLowerCase();
if(usersByName.containsKey(userName))
return usersByName.get(userName);
return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = '" + userName + "'"));
return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = ?", userName));
}
public static SteamwarUser get(UUID uuid){
if(usersByUUID.containsKey(uuid))
return usersByUUID.get(uuid);
return dbInit(SQL.select(SELECT_UUID + uuid.toString() + "'"));
return dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", uuid.toString()));
}
public static SteamwarUser get(ProxiedPlayer player){
@ -86,7 +85,7 @@ public class SteamwarUser {
public static SteamwarUser get(int id){
if(usersById.containsKey(id))
return usersById.get(id);
return dbInit(SQL.select("SELECT * FROM UserData WHERE id = " + id));
return dbInit(SQL.select("SELECT * FROM UserData WHERE id = ?", id));
}
public static void clearCache(){
@ -96,17 +95,12 @@ public class SteamwarUser {
}
public void setWebpw(String password){
SQL.webupdate("INSERT INTO User\n" +
" (UID, WebPassword)\n" +
"VALUES\n" +
" (" + id + ", password('"+ SQL.disarmString(password) + "'))\n" +
"ON DUPLICATE KEY UPDATE\n" +
" WebPassword = VALUES(WebPassword)");
SQL.webupdate("INSERT INTO User (UID, WebPassword) VALUES (?, password(?)) ON DUPLICATE KEY UPDATE WebPassword = VALUES(WebPassword)", id, password);
}
public void setTeam(int team){
this.team = team;
SQL.update("Update UserData SET Team = " + team + " WHERE id = " + id);
SQL.update("Update UserData SET Team = ? WHERE id = ?", team, id);
}
public int getId() {
@ -135,8 +129,8 @@ public class SteamwarUser {
} else if (banTime.after(new Date()) || banTime.before(PERMA_BAN)) {
return true;
} else {
SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = " + id);
SQL.update("DELETE FROM BannedUserIPs WHERE UserID = '" + getId() + "'");
SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = ?", id);
SQL.update("DELETE FROM BannedUserIPs WHERE UserID = ?", id);
banTime = null;
banReason = "";
return false;
@ -149,7 +143,7 @@ public class SteamwarUser {
}else if(muteTime.after(new Date()) || muteTime.before(PERMA_BAN)){
return true;
}else{
SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = " + id);
SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = ?", id);
muteTime = null;
muteReason = "";
return false;
@ -179,7 +173,7 @@ public class SteamwarUser {
}
public void ban(Timestamp time, String banReason){
SQL.update("UPDATE UserData SET BanTime = '" + time.toString() + "', BanReason = '" + banReason + "' WHERE id = " + id);
SQL.update("UPDATE UserData SET BanTime = ?, BanReason = ? WHERE id = ?", time, banReason, id);
banTime = time;
this.banReason = banReason;
@ -192,7 +186,7 @@ public class SteamwarUser {
}
public void mute(Timestamp time, String muteReason){
SQL.update("UPDATE UserData SET MuteTime = '" + time.toString() + "', MuteReason = '" + muteReason + "' WHERE id = " + id);
SQL.update("UPDATE UserData SET MuteTime = ?, MuteReason = ? WHERE id = ?", time, muteReason, id);
muteTime = time;
this.muteReason = muteReason;
}

Datei anzeigen

@ -32,10 +32,7 @@ public class Team {
}
public static void create(String kuerzel, String name, int leader){
SQL.update("INSERT INTO Team" +
" (TeamKuerzel, TeamName, TeamLeader)" +
" VALUES" +
" ('" + kuerzel + "', '" + name + "', '" + leader + "')");
SQL.update("INSERT INTO Team (TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?)", kuerzel, name, leader);
}
public static Team get(int id){
@ -46,7 +43,7 @@ public class Team {
for(Team team : teamCache)
if(team.teamId == id)
return team;
return load(select("SELECT * FROM Team WHERE TeamID = " + id));
return load(select("SELECT * FROM Team WHERE TeamID = ?", id));
}
public static Team get(String name){
@ -56,7 +53,7 @@ public class Team {
for(Team team : teamCache)
if(team.teamKuerzel.equalsIgnoreCase(name))
return team;
return load(select("SELECT * FROM Team WHERE (lower(TeamName) = '" + SQL.disarmString(name).toLowerCase() + "' OR lower(TeamKuerzel) = '" + SQL.disarmString(name).toLowerCase() + "') AND NOT TeamDeleted"));
return load(select("SELECT * FROM Team WHERE (lower(TeamName) = ? OR lower(TeamKuerzel) = ?) AND NOT TeamDeleted", name.toLowerCase(), name.toLowerCase()));
}
public static List<Team> getAll(){
@ -90,12 +87,7 @@ public class Team {
}
private void updateDB(){
SQL.update("INSERT INTO Team" +
" (TeamID, TeamKuerzel, TeamName, TeamLeader)" +
" VALUES" +
" ('" + teamId + "', '" + teamKuerzel + "', '" + teamName + "', '" + teamLeader + "')" +
" ON DUPLICATE KEY UPDATE" +
" TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)");
SQL.update("INSERT INTO Team (TeamID, TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)", teamId, teamKuerzel, teamName, teamLeader);
}
public int getTeamId() {
@ -107,7 +99,7 @@ public class Team {
}
public void setTeamKuerzel(String teamKuerzel) {
this.teamKuerzel = SQL.disarmString(teamKuerzel);
this.teamKuerzel = teamKuerzel;
updateDB();
}
@ -116,7 +108,7 @@ public class Team {
}
public void setTeamName(String teamName) {
this.teamName = SQL.disarmString(teamName);
this.teamName = teamName;
updateDB();
}
@ -130,7 +122,7 @@ public class Team {
}
public int size(){
ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = " + teamId);
ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = ?", teamId);
try {
rs.next();
return rs.getInt("COUNT(id)");
@ -141,13 +133,13 @@ public class Team {
}
public void disband(){
SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = " + teamId);
SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = ?", teamId);
teamCache.remove(this);
}
public List<Integer> getMembers(){
try{
ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = '" + teamId + "'");
ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = ?", teamId);
List<Integer> members = new ArrayList<>();
while(memberlist.next()){
members.add(memberlist.getInt("id"));

Datei anzeigen

@ -11,15 +11,15 @@ public class TeamTeilnahme {
private TeamTeilnahme(){}
public static void teilnehmen(int teamID, int eventID){
SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (" + teamID + "," + eventID + ")");
SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (?, ?)", teamID, eventID);
}
public static void notTeilnehmen(int teamID, int eventID){
SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID);
SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID);
}
public static boolean nimmtTeil(int teamID, int eventID){
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID);
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID);
try{
return rs.next();
}catch (SQLException e){
@ -30,7 +30,7 @@ public class TeamTeilnahme {
public static Set<Team> getTeams(int eventID){
Set<Team> teams = new HashSet<>();
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = " + eventID);
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = ?", eventID);
try{
while(rs.next())
teams.add(Team.get(rs.getInt("TeamID")));
@ -42,7 +42,7 @@ public class TeamTeilnahme {
public static Set<Event> getEvents(int teamID){
Set<Event> events = new HashSet<>();
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID);
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ?", teamID);
try{
while(rs.next())
events.add(Event.get(rs.getInt("EventID")));