From ec7d1c34d27daa82ff44c3dddb72b2e594e584c4 Mon Sep 17 00:00:00 2001 From: Lixfel Date: Mon, 10 Feb 2020 07:51:01 +0100 Subject: [PATCH] Rework SQL statements to actually use PreparedStatements for security reasons --- .../bungeecore/sql/BannedUserIPs.java | 11 +--- .../bungeecore/sql/BauweltMember.java | 12 ++-- src/de/steamwar/bungeecore/sql/Event.java | 24 +++---- .../steamwar/bungeecore/sql/EventFight.java | 4 +- src/de/steamwar/bungeecore/sql/Mod.java | 5 +- .../steamwar/bungeecore/sql/PollAnswer.java | 4 +- src/de/steamwar/bungeecore/sql/SQL.java | 65 +++++++++---------- src/de/steamwar/bungeecore/sql/Session.java | 2 +- .../steamwar/bungeecore/sql/SteamwarUser.java | 36 +++++----- src/de/steamwar/bungeecore/sql/Team.java | 26 +++----- .../bungeecore/sql/TeamTeilnahme.java | 10 +-- 11 files changed, 85 insertions(+), 114 deletions(-) diff --git a/src/de/steamwar/bungeecore/sql/BannedUserIPs.java b/src/de/steamwar/bungeecore/sql/BannedUserIPs.java index 1b6f36f..1297479 100644 --- a/src/de/steamwar/bungeecore/sql/BannedUserIPs.java +++ b/src/de/steamwar/bungeecore/sql/BannedUserIPs.java @@ -20,7 +20,7 @@ public class BannedUserIPs { public static List get(int userID){ List userIPs = new ArrayList<>(); - ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = '" + userID + "' ORDER BY Timestamp ASC"); + ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = ? ORDER BY Timestamp ASC", userID); try { while(dbentry.next()){ userIPs.add(new BannedUserIPs( @@ -35,7 +35,7 @@ public class BannedUserIPs { public static List get(String ip){ List userIDs = new ArrayList<>(); - ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = '" + ip + "' ORDER BY Timestamp DESC"); + ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = ? ORDER BY Timestamp DESC", ip); try { while(dbentry.next()){ userIDs.add(new BannedUserIPs( @@ -49,12 +49,7 @@ public class BannedUserIPs { } static void banIP(SteamwarUser user, String ip){ - SQL.update("INSERT INTO BannedUserIPs\n" + - " (UserID, Timestamp, IP)\n" + - "VALUES\n" + - " (" + user.getId() + ", NOW(), '" + ip + "')\n" + - "ON DUPLICATE KEY UPDATE\n" + - " Timestamp=NOW()"); + SQL.update("INSERT INTO BannedUserIPs (UserID, Timestamp, IP) VALUES (?, NOW(), ?) ON DUPLICATE KEY UPDATE Timestamp=NOW()", user.getId(), ip); } public int getUserID() { diff --git a/src/de/steamwar/bungeecore/sql/BauweltMember.java b/src/de/steamwar/bungeecore/sql/BauweltMember.java index 6884477..c85b871 100644 --- a/src/de/steamwar/bungeecore/sql/BauweltMember.java +++ b/src/de/steamwar/bungeecore/sql/BauweltMember.java @@ -39,12 +39,8 @@ public class BauweltMember{ } private void updateDB(){ - SQL.update("INSERT INTO BauweltMember" + - " (BauweltID, MemberID, Build, WorldEdit, World)" + - " VALUES" + - " ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" + - " ON DUPLICATE KEY UPDATE" + - " Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)"); + SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)", + bauweltID, memberID, build, worldEdit, world); } public static BauweltMember getBauMember(UUID ownerID, UUID memberID){ @@ -52,7 +48,7 @@ public class BauweltMember{ } public static BauweltMember getBauMember(int ownerID, int memberID){ - ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'"); + ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID); try { if(member == null || !member.next()){ return null; @@ -73,7 +69,7 @@ public class BauweltMember{ public static List getMembers(int bauweltID){ try{ - ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'"); + ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID); List members = new ArrayList<>(); while(memberlist.next()){ int memberID = memberlist.getInt("MemberID"); diff --git a/src/de/steamwar/bungeecore/sql/Event.java b/src/de/steamwar/bungeecore/sql/Event.java index 4711507..9321eca 100644 --- a/src/de/steamwar/bungeecore/sql/Event.java +++ b/src/de/steamwar/bungeecore/sql/Event.java @@ -20,13 +20,13 @@ public class Event { private static Event current = null; - private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){ - this.eventID = eventID; - this.eventName = eventName; - this.start = start; - this.end = end; - this.maximumTeamMembers = maximumTeamMembers; - this.publicSchemsOnly = publicSchemsOnly; + private Event(ResultSet rs) throws SQLException{ + this.eventID = rs.getInt("EventID"); + this.eventName = rs.getString("EventName"); + this.start = rs.getTimestamp("Start"); + this.end = rs.getTimestamp("End"); + this.maximumTeamMembers = rs.getInt("MaximumTeamMembers"); + this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly"); } public static Event get(){ @@ -40,7 +40,7 @@ public class Event { return null; } - current = new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); + current = new Event(rs); return current; }catch (SQLException e){ BungeeCore.log("Failed to load current Event", e); @@ -54,7 +54,7 @@ public class Event { if(!rs.next()) throw new IllegalArgumentException(); - return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); + return new Event(rs); }catch (SQLException e){ BungeeCore.log("Failed to load Event", e); throw new SecurityException(); @@ -62,12 +62,12 @@ public class Event { } public static Event get(String eventName){ - ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = '" + SQL.disarmString(eventName.toLowerCase()) + "'"); + ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = ?", eventName.toLowerCase()); try{ if(!rs.next()) return null; - return new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); + return new Event(rs); }catch (SQLException e){ BungeeCore.log("Failed to load Event by name", e); throw new SecurityException(); @@ -79,7 +79,7 @@ public class Event { ResultSet rs = SQL.select("SELECT * FROM Event WHERE Start > now()"); try{ while(rs.next()) - events.add(new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"))); + events.add(new Event(rs)); }catch (SQLException e){ BungeeCore.log("Failed to load Events", e); } diff --git a/src/de/steamwar/bungeecore/sql/EventFight.java b/src/de/steamwar/bungeecore/sql/EventFight.java index 9a6b820..3ee6c69 100644 --- a/src/de/steamwar/bungeecore/sql/EventFight.java +++ b/src/de/steamwar/bungeecore/sql/EventFight.java @@ -38,7 +38,7 @@ public class EventFight implements Comparable { public void reschedule(){ startTime = Timestamp.from(new Date().toInstant().plus(30, SECONDS)); - SQL.update("UPDATE EventFight SET StartTime = '" + startTime.toString() + "' WHERE EventID = " + eventID + " AND FightID = " + fightID); + SQL.update("UPDATE EventFight SET StartTime = ? WHERE EventID = ? AND FightID = ?", startTime, eventID, fightID); } public static void loadAllComingFights(){ @@ -54,7 +54,7 @@ public class EventFight implements Comparable { } public static List getEvent(int eventID){ - ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = " + eventID + " ORDER BY `StartTime` ASC"); + ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = ? ORDER BY `StartTime` ASC", eventID); List fights = new LinkedList<>(); try{ while(rs.next()) diff --git a/src/de/steamwar/bungeecore/sql/Mod.java b/src/de/steamwar/bungeecore/sql/Mod.java index 54cfc2e..fee3756 100644 --- a/src/de/steamwar/bungeecore/sql/Mod.java +++ b/src/de/steamwar/bungeecore/sql/Mod.java @@ -17,8 +17,7 @@ public class Mod { } public static Mod get(String modName, Platform platform){ - modName = SQL.disarmString(modName); - ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = '" + modName + "' AND Platform = " + platform.value); + ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = ? AND Platform = ?", modName, platform.value); try{ if(rs.next()) return new Mod(modName, platform, ModType.valueOf(rs.getInt("ModType"))); @@ -26,7 +25,7 @@ public class Mod { BungeeCore.log("Failed to load Mod", e); throw new SecurityException(); } - SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")"); + SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")", modName, platform.value); return new Mod(modName, platform, ModType.UNKLASSIFIED); } diff --git a/src/de/steamwar/bungeecore/sql/PollAnswer.java b/src/de/steamwar/bungeecore/sql/PollAnswer.java index c8ff434..e4752f9 100644 --- a/src/de/steamwar/bungeecore/sql/PollAnswer.java +++ b/src/de/steamwar/bungeecore/sql/PollAnswer.java @@ -23,7 +23,7 @@ public class PollAnswer { } public static PollAnswer get(int userID){ - ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = " + userID + " AND Question = '" + PollSystem.getQuestion() + "'"); + ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = ? AND Question = ?", userID, PollSystem.getQuestion()); try { if(!rs.next()) return new PollAnswer(userID, PollSystem.getQuestion()); @@ -40,6 +40,6 @@ public class PollAnswer { public void setAnswer(int answer){ this.answer = answer; - SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (" + userID + ",'" + question + "'," + answer + ") ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)"); + SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)", userID, question, answer); } } diff --git a/src/de/steamwar/bungeecore/sql/SQL.java b/src/de/steamwar/bungeecore/sql/SQL.java index 8686b31..6d6434f 100644 --- a/src/de/steamwar/bungeecore/sql/SQL.java +++ b/src/de/steamwar/bungeecore/sql/SQL.java @@ -41,60 +41,55 @@ public class SQL { } } - private static void sqlException(){ - close(); - connect(url, weburl, user, password); - } - - static void update(String qry) { - try (PreparedStatement st = con.prepareStatement(qry)) { - st.executeUpdate(); + static void update(String qry, Object... objects) { + try { + prepare(con, qry, objects).executeUpdate(); } catch (SQLException e) { sqlException(); try (PreparedStatement st = con.prepareStatement(qry)) { st.executeUpdate(); } catch (SQLException ex) { - BungeeCore.log("Could not execute update statement", ex); + throw new SecurityException("Could not execute update statement", ex); } } } - static void webupdate(String qry) { - try (PreparedStatement st = webcon.prepareStatement(qry)) { - st.executeUpdate(); - } catch (SQLException e) { - sqlException(); - try (PreparedStatement st = webcon.prepareStatement(qry)) { - st.executeUpdate(); - } catch (SQLException ex) { - BungeeCore.log("Could not execute update statement", ex); - } - } - } - - static ResultSet select(String qry){ - try{ - PreparedStatement st = con.prepareStatement(qry); - return st.executeQuery(); + static void webupdate(String qry, Object... objects) { + try { + prepare(webcon, qry, objects).executeUpdate(); } catch (SQLException e) { sqlException(); try { - PreparedStatement st = con.prepareStatement(qry); - return st.executeQuery(); + prepare(webcon, qry, objects).executeUpdate(); + } catch (SQLException ex) { + throw new SecurityException("Could not execute update statement", ex); + } + } + } + + static ResultSet select(String qry, Object... objects){ + try{ + return prepare(con, qry, objects).executeQuery(); + } catch (SQLException e) { + sqlException(); + try { + return prepare(con, qry, objects).executeQuery(); } catch (SQLException ex) { throw new SecurityException("Could not run Select-Statement", ex); } } } - static String disarmString(String s){ - return s.replace("'", ""); + private static PreparedStatement prepare(Connection connection, String qry, Object... objects) throws SQLException{ + PreparedStatement st = connection.prepareStatement(qry); + for(int i = 0; i < objects.length; i++){ + st.setObject(i+1, objects); + } + return st; } - static Integer booleanToInt(boolean b){ - if(b) - return 1; - else - return 0; + private static void sqlException(){ + close(); + connect(url, weburl, user, password); } } diff --git a/src/de/steamwar/bungeecore/sql/Session.java b/src/de/steamwar/bungeecore/sql/Session.java index 68bf026..d6f3999 100644 --- a/src/de/steamwar/bungeecore/sql/Session.java +++ b/src/de/steamwar/bungeecore/sql/Session.java @@ -14,6 +14,6 @@ public class Session { } public void stopSession(){ - SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES ("+ userID + ", '" + startTime.toString() + "', NOW())"); + SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES (?, ?, NOW())", userID, startTime); } } diff --git a/src/de/steamwar/bungeecore/sql/SteamwarUser.java b/src/de/steamwar/bungeecore/sql/SteamwarUser.java index 2b5a91a..d88f12b 100644 --- a/src/de/steamwar/bungeecore/sql/SteamwarUser.java +++ b/src/de/steamwar/bungeecore/sql/SteamwarUser.java @@ -30,7 +30,6 @@ public class SteamwarUser { private static final Map usersByUUID = new HashMap<>(); private static final Map usersById = new HashMap<>(); private static final Timestamp PERMA_BAN = Timestamp.from(Instant.ofEpochSecond(946684800)); - private static final String SELECT_UUID = "SELECT * FROM UserData WHERE UUID = '"; private SteamwarUser(ResultSet rs) throws SQLException { id = rs.getInt("id"); @@ -51,14 +50,14 @@ public class SteamwarUser { SteamwarUser user = SteamwarUser.get(connection.getUniqueId()); if(user != null){ - String userName = SQL.disarmString(connection.getName()); + String userName = connection.getName(); if(!user.userName.equals(userName)){ - SQL.update("UPDATE UserData SET UserName = '" + userName + "' WHERE id = " + user.id); + SQL.update("UPDATE UserData SET UserName = ? WHERE id = ?", userName, user.id); user.userName = userName; } }else{ - SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES ('" + connection.getUniqueId() + "', '" + connection.getName() + "', 'Member')"); - user = dbInit(SQL.select(SELECT_UUID + connection.getUniqueId().toString() + "'")); + SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES (?, ?, 'Member')", connection.getUniqueId().toString(), connection.getName()); + user = dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", connection.getUniqueId())); if(user == null) throw new SecurityException("user == null"); } @@ -67,16 +66,16 @@ public class SteamwarUser { } public static SteamwarUser get(String userName){ - userName = SQL.disarmString(userName).toLowerCase(); + userName = userName.toLowerCase(); if(usersByName.containsKey(userName)) return usersByName.get(userName); - return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = '" + userName + "'")); + return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = ?", userName)); } public static SteamwarUser get(UUID uuid){ if(usersByUUID.containsKey(uuid)) return usersByUUID.get(uuid); - return dbInit(SQL.select(SELECT_UUID + uuid.toString() + "'")); + return dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", uuid.toString())); } public static SteamwarUser get(ProxiedPlayer player){ @@ -86,7 +85,7 @@ public class SteamwarUser { public static SteamwarUser get(int id){ if(usersById.containsKey(id)) return usersById.get(id); - return dbInit(SQL.select("SELECT * FROM UserData WHERE id = " + id)); + return dbInit(SQL.select("SELECT * FROM UserData WHERE id = ?", id)); } public static void clearCache(){ @@ -96,17 +95,12 @@ public class SteamwarUser { } public void setWebpw(String password){ - SQL.webupdate("INSERT INTO User\n" + - " (UID, WebPassword)\n" + - "VALUES\n" + - " (" + id + ", password('"+ SQL.disarmString(password) + "'))\n" + - "ON DUPLICATE KEY UPDATE\n" + - " WebPassword = VALUES(WebPassword)"); + SQL.webupdate("INSERT INTO User (UID, WebPassword) VALUES (?, password(?)) ON DUPLICATE KEY UPDATE WebPassword = VALUES(WebPassword)", id, password); } public void setTeam(int team){ this.team = team; - SQL.update("Update UserData SET Team = " + team + " WHERE id = " + id); + SQL.update("Update UserData SET Team = ? WHERE id = ?", team, id); } public int getId() { @@ -135,8 +129,8 @@ public class SteamwarUser { } else if (banTime.after(new Date()) || banTime.before(PERMA_BAN)) { return true; } else { - SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = " + id); - SQL.update("DELETE FROM BannedUserIPs WHERE UserID = '" + getId() + "'"); + SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = ?", id); + SQL.update("DELETE FROM BannedUserIPs WHERE UserID = ?", id); banTime = null; banReason = ""; return false; @@ -149,7 +143,7 @@ public class SteamwarUser { }else if(muteTime.after(new Date()) || muteTime.before(PERMA_BAN)){ return true; }else{ - SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = " + id); + SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = ?", id); muteTime = null; muteReason = ""; return false; @@ -179,7 +173,7 @@ public class SteamwarUser { } public void ban(Timestamp time, String banReason){ - SQL.update("UPDATE UserData SET BanTime = '" + time.toString() + "', BanReason = '" + banReason + "' WHERE id = " + id); + SQL.update("UPDATE UserData SET BanTime = ?, BanReason = ? WHERE id = ?", time, banReason, id); banTime = time; this.banReason = banReason; @@ -192,7 +186,7 @@ public class SteamwarUser { } public void mute(Timestamp time, String muteReason){ - SQL.update("UPDATE UserData SET MuteTime = '" + time.toString() + "', MuteReason = '" + muteReason + "' WHERE id = " + id); + SQL.update("UPDATE UserData SET MuteTime = ?, MuteReason = ? WHERE id = ?", time, muteReason, id); muteTime = time; this.muteReason = muteReason; } diff --git a/src/de/steamwar/bungeecore/sql/Team.java b/src/de/steamwar/bungeecore/sql/Team.java index 959bfb2..8251ecf 100644 --- a/src/de/steamwar/bungeecore/sql/Team.java +++ b/src/de/steamwar/bungeecore/sql/Team.java @@ -32,10 +32,7 @@ public class Team { } public static void create(String kuerzel, String name, int leader){ - SQL.update("INSERT INTO Team" + - " (TeamKuerzel, TeamName, TeamLeader)" + - " VALUES" + - " ('" + kuerzel + "', '" + name + "', '" + leader + "')"); + SQL.update("INSERT INTO Team (TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?)", kuerzel, name, leader); } public static Team get(int id){ @@ -46,7 +43,7 @@ public class Team { for(Team team : teamCache) if(team.teamId == id) return team; - return load(select("SELECT * FROM Team WHERE TeamID = " + id)); + return load(select("SELECT * FROM Team WHERE TeamID = ?", id)); } public static Team get(String name){ @@ -56,7 +53,7 @@ public class Team { for(Team team : teamCache) if(team.teamKuerzel.equalsIgnoreCase(name)) return team; - return load(select("SELECT * FROM Team WHERE (lower(TeamName) = '" + SQL.disarmString(name).toLowerCase() + "' OR lower(TeamKuerzel) = '" + SQL.disarmString(name).toLowerCase() + "') AND NOT TeamDeleted")); + return load(select("SELECT * FROM Team WHERE (lower(TeamName) = ? OR lower(TeamKuerzel) = ?) AND NOT TeamDeleted", name.toLowerCase(), name.toLowerCase())); } public static List getAll(){ @@ -90,12 +87,7 @@ public class Team { } private void updateDB(){ - SQL.update("INSERT INTO Team" + - " (TeamID, TeamKuerzel, TeamName, TeamLeader)" + - " VALUES" + - " ('" + teamId + "', '" + teamKuerzel + "', '" + teamName + "', '" + teamLeader + "')" + - " ON DUPLICATE KEY UPDATE" + - " TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)"); + SQL.update("INSERT INTO Team (TeamID, TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)", teamId, teamKuerzel, teamName, teamLeader); } public int getTeamId() { @@ -107,7 +99,7 @@ public class Team { } public void setTeamKuerzel(String teamKuerzel) { - this.teamKuerzel = SQL.disarmString(teamKuerzel); + this.teamKuerzel = teamKuerzel; updateDB(); } @@ -116,7 +108,7 @@ public class Team { } public void setTeamName(String teamName) { - this.teamName = SQL.disarmString(teamName); + this.teamName = teamName; updateDB(); } @@ -130,7 +122,7 @@ public class Team { } public int size(){ - ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = " + teamId); + ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = ?", teamId); try { rs.next(); return rs.getInt("COUNT(id)"); @@ -141,13 +133,13 @@ public class Team { } public void disband(){ - SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = " + teamId); + SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = ?", teamId); teamCache.remove(this); } public List getMembers(){ try{ - ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = '" + teamId + "'"); + ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = ?", teamId); List members = new ArrayList<>(); while(memberlist.next()){ members.add(memberlist.getInt("id")); diff --git a/src/de/steamwar/bungeecore/sql/TeamTeilnahme.java b/src/de/steamwar/bungeecore/sql/TeamTeilnahme.java index 9b1458f..86a3b77 100644 --- a/src/de/steamwar/bungeecore/sql/TeamTeilnahme.java +++ b/src/de/steamwar/bungeecore/sql/TeamTeilnahme.java @@ -11,15 +11,15 @@ public class TeamTeilnahme { private TeamTeilnahme(){} public static void teilnehmen(int teamID, int eventID){ - SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (" + teamID + "," + eventID + ")"); + SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (?, ?)", teamID, eventID); } public static void notTeilnehmen(int teamID, int eventID){ - SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID); + SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID); } public static boolean nimmtTeil(int teamID, int eventID){ - ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID); + ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID); try{ return rs.next(); }catch (SQLException e){ @@ -30,7 +30,7 @@ public class TeamTeilnahme { public static Set getTeams(int eventID){ Set teams = new HashSet<>(); - ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = " + eventID); + ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = ?", eventID); try{ while(rs.next()) teams.add(Team.get(rs.getInt("TeamID"))); @@ -42,7 +42,7 @@ public class TeamTeilnahme { public static Set getEvents(int teamID){ Set events = new HashSet<>(); - ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID); + ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ?", teamID); try{ while(rs.next()) events.add(Event.get(rs.getInt("EventID")));