SteamWar/BungeeCore
Archiviert
13
2

Rework SQL statements to actually use PreparedStatements for security reasons

Dieser Commit ist enthalten in:
Lixfel 2020-02-10 07:51:01 +01:00
Ursprung 583760c036
Commit ec7d1c34d2
11 geänderte Dateien mit 85 neuen und 114 gelöschten Zeilen

Datei anzeigen

@ -20,7 +20,7 @@ public class BannedUserIPs {
public static List<BannedUserIPs> get(int userID){ public static List<BannedUserIPs> get(int userID){
List<BannedUserIPs> userIPs = new ArrayList<>(); List<BannedUserIPs> userIPs = new ArrayList<>();
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = '" + userID + "' ORDER BY Timestamp ASC"); ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE UserID = ? ORDER BY Timestamp ASC", userID);
try { try {
while(dbentry.next()){ while(dbentry.next()){
userIPs.add(new BannedUserIPs( userIPs.add(new BannedUserIPs(
@ -35,7 +35,7 @@ public class BannedUserIPs {
public static List<BannedUserIPs> get(String ip){ public static List<BannedUserIPs> get(String ip){
List<BannedUserIPs> userIDs = new ArrayList<>(); List<BannedUserIPs> userIDs = new ArrayList<>();
ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = '" + ip + "' ORDER BY Timestamp DESC"); ResultSet dbentry = SQL.select("SELECT * FROM BannedUserIPs WHERE IP = ? ORDER BY Timestamp DESC", ip);
try { try {
while(dbentry.next()){ while(dbentry.next()){
userIDs.add(new BannedUserIPs( userIDs.add(new BannedUserIPs(
@ -49,12 +49,7 @@ public class BannedUserIPs {
} }
static void banIP(SteamwarUser user, String ip){ static void banIP(SteamwarUser user, String ip){
SQL.update("INSERT INTO BannedUserIPs\n" + SQL.update("INSERT INTO BannedUserIPs (UserID, Timestamp, IP) VALUES (?, NOW(), ?) ON DUPLICATE KEY UPDATE Timestamp=NOW()", user.getId(), ip);
" (UserID, Timestamp, IP)\n" +
"VALUES\n" +
" (" + user.getId() + ", NOW(), '" + ip + "')\n" +
"ON DUPLICATE KEY UPDATE\n" +
" Timestamp=NOW()");
} }
public int getUserID() { public int getUserID() {

Datei anzeigen

@ -39,12 +39,8 @@ public class BauweltMember{
} }
private void updateDB(){ private void updateDB(){
SQL.update("INSERT INTO BauweltMember" + SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)",
" (BauweltID, MemberID, Build, WorldEdit, World)" + bauweltID, memberID, build, worldEdit, world);
" VALUES" +
" ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" +
" ON DUPLICATE KEY UPDATE" +
" Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)");
} }
public static BauweltMember getBauMember(UUID ownerID, UUID memberID){ public static BauweltMember getBauMember(UUID ownerID, UUID memberID){
@ -52,7 +48,7 @@ public class BauweltMember{
} }
public static BauweltMember getBauMember(int ownerID, int memberID){ public static BauweltMember getBauMember(int ownerID, int memberID){
ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'"); ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID);
try { try {
if(member == null || !member.next()){ if(member == null || !member.next()){
return null; return null;
@ -73,7 +69,7 @@ public class BauweltMember{
public static List<BauweltMember> getMembers(int bauweltID){ public static List<BauweltMember> getMembers(int bauweltID){
try{ try{
ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'"); ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID);
List<BauweltMember> members = new ArrayList<>(); List<BauweltMember> members = new ArrayList<>();
while(memberlist.next()){ while(memberlist.next()){
int memberID = memberlist.getInt("MemberID"); int memberID = memberlist.getInt("MemberID");

Datei anzeigen

@ -20,13 +20,13 @@ public class Event {
private static Event current = null; private static Event current = null;
private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){ private Event(ResultSet rs) throws SQLException{
this.eventID = eventID; this.eventID = rs.getInt("EventID");
this.eventName = eventName; this.eventName = rs.getString("EventName");
this.start = start; this.start = rs.getTimestamp("Start");
this.end = end; this.end = rs.getTimestamp("End");
this.maximumTeamMembers = maximumTeamMembers; this.maximumTeamMembers = rs.getInt("MaximumTeamMembers");
this.publicSchemsOnly = publicSchemsOnly; this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly");
} }
public static Event get(){ public static Event get(){
@ -40,7 +40,7 @@ public class Event {
return null; return null;
} }
current = new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); current = new Event(rs);
return current; return current;
}catch (SQLException e){ }catch (SQLException e){
BungeeCore.log("Failed to load current Event", e); BungeeCore.log("Failed to load current Event", e);
@ -54,7 +54,7 @@ public class Event {
if(!rs.next()) if(!rs.next())
throw new IllegalArgumentException(); throw new IllegalArgumentException();
return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); return new Event(rs);
}catch (SQLException e){ }catch (SQLException e){
BungeeCore.log("Failed to load Event", e); BungeeCore.log("Failed to load Event", e);
throw new SecurityException(); throw new SecurityException();
@ -62,12 +62,12 @@ public class Event {
} }
public static Event get(String eventName){ public static Event get(String eventName){
ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = '" + SQL.disarmString(eventName.toLowerCase()) + "'"); ResultSet rs = SQL.select("SELECT * FROM Event WHERE lower(EventName) = ?", eventName.toLowerCase());
try{ try{
if(!rs.next()) if(!rs.next())
return null; return null;
return new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); return new Event(rs);
}catch (SQLException e){ }catch (SQLException e){
BungeeCore.log("Failed to load Event by name", e); BungeeCore.log("Failed to load Event by name", e);
throw new SecurityException(); throw new SecurityException();
@ -79,7 +79,7 @@ public class Event {
ResultSet rs = SQL.select("SELECT * FROM Event WHERE Start > now()"); ResultSet rs = SQL.select("SELECT * FROM Event WHERE Start > now()");
try{ try{
while(rs.next()) while(rs.next())
events.add(new Event(rs.getInt("EventID"), rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"))); events.add(new Event(rs));
}catch (SQLException e){ }catch (SQLException e){
BungeeCore.log("Failed to load Events", e); BungeeCore.log("Failed to load Events", e);
} }

Datei anzeigen

@ -38,7 +38,7 @@ public class EventFight implements Comparable<EventFight> {
public void reschedule(){ public void reschedule(){
startTime = Timestamp.from(new Date().toInstant().plus(30, SECONDS)); startTime = Timestamp.from(new Date().toInstant().plus(30, SECONDS));
SQL.update("UPDATE EventFight SET StartTime = '" + startTime.toString() + "' WHERE EventID = " + eventID + " AND FightID = " + fightID); SQL.update("UPDATE EventFight SET StartTime = ? WHERE EventID = ? AND FightID = ?", startTime, eventID, fightID);
} }
public static void loadAllComingFights(){ public static void loadAllComingFights(){
@ -54,7 +54,7 @@ public class EventFight implements Comparable<EventFight> {
} }
public static List<EventFight> getEvent(int eventID){ public static List<EventFight> getEvent(int eventID){
ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = " + eventID + " ORDER BY `StartTime` ASC"); ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE EventID = ? ORDER BY `StartTime` ASC", eventID);
List<EventFight> fights = new LinkedList<>(); List<EventFight> fights = new LinkedList<>();
try{ try{
while(rs.next()) while(rs.next())

Datei anzeigen

@ -17,8 +17,7 @@ public class Mod {
} }
public static Mod get(String modName, Platform platform){ public static Mod get(String modName, Platform platform){
modName = SQL.disarmString(modName); ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = ? AND Platform = ?", modName, platform.value);
ResultSet rs = SQL.select("SELECT * FROM Mods WHERE ModName = '" + modName + "' AND Platform = " + platform.value);
try{ try{
if(rs.next()) if(rs.next())
return new Mod(modName, platform, ModType.valueOf(rs.getInt("ModType"))); return new Mod(modName, platform, ModType.valueOf(rs.getInt("ModType")));
@ -26,7 +25,7 @@ public class Mod {
BungeeCore.log("Failed to load Mod", e); BungeeCore.log("Failed to load Mod", e);
throw new SecurityException(); throw new SecurityException();
} }
SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")"); SQL.update("INSERT INTO Mods (ModName, Platform) VALUES ('" + modName + "'," + platform.value + ")", modName, platform.value);
return new Mod(modName, platform, ModType.UNKLASSIFIED); return new Mod(modName, platform, ModType.UNKLASSIFIED);
} }

Datei anzeigen

@ -23,7 +23,7 @@ public class PollAnswer {
} }
public static PollAnswer get(int userID){ public static PollAnswer get(int userID){
ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = " + userID + " AND Question = '" + PollSystem.getQuestion() + "'"); ResultSet rs = SQL.select("SELECT * FROM PollAnswer WHERE UserID = ? AND Question = ?", userID, PollSystem.getQuestion());
try { try {
if(!rs.next()) if(!rs.next())
return new PollAnswer(userID, PollSystem.getQuestion()); return new PollAnswer(userID, PollSystem.getQuestion());
@ -40,6 +40,6 @@ public class PollAnswer {
public void setAnswer(int answer){ public void setAnswer(int answer){
this.answer = answer; this.answer = answer;
SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (" + userID + ",'" + question + "'," + answer + ") ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)"); SQL.update("INSERT INTO PollAnswer (UserID, Question, Answer) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE Answer = VALUES(Answer)", userID, question, answer);
} }
} }

Datei anzeigen

@ -41,60 +41,55 @@ public class SQL {
} }
} }
private static void sqlException(){ static void update(String qry, Object... objects) {
close(); try {
connect(url, weburl, user, password); prepare(con, qry, objects).executeUpdate();
}
static void update(String qry) {
try (PreparedStatement st = con.prepareStatement(qry)) {
st.executeUpdate();
} catch (SQLException e) { } catch (SQLException e) {
sqlException(); sqlException();
try (PreparedStatement st = con.prepareStatement(qry)) { try (PreparedStatement st = con.prepareStatement(qry)) {
st.executeUpdate(); st.executeUpdate();
} catch (SQLException ex) { } catch (SQLException ex) {
BungeeCore.log("Could not execute update statement", ex); throw new SecurityException("Could not execute update statement", ex);
} }
} }
} }
static void webupdate(String qry) { static void webupdate(String qry, Object... objects) {
try (PreparedStatement st = webcon.prepareStatement(qry)) { try {
st.executeUpdate(); prepare(webcon, qry, objects).executeUpdate();
} catch (SQLException e) { } catch (SQLException e) {
sqlException(); sqlException();
try (PreparedStatement st = webcon.prepareStatement(qry)) { try {
st.executeUpdate(); prepare(webcon, qry, objects).executeUpdate();
} catch (SQLException ex) { } catch (SQLException ex) {
BungeeCore.log("Could not execute update statement", ex); throw new SecurityException("Could not execute update statement", ex);
} }
} }
} }
static ResultSet select(String qry){ static ResultSet select(String qry, Object... objects){
try{ try{
PreparedStatement st = con.prepareStatement(qry); return prepare(con, qry, objects).executeQuery();
return st.executeQuery();
} catch (SQLException e) { } catch (SQLException e) {
sqlException(); sqlException();
try { try {
PreparedStatement st = con.prepareStatement(qry); return prepare(con, qry, objects).executeQuery();
return st.executeQuery();
} catch (SQLException ex) { } catch (SQLException ex) {
throw new SecurityException("Could not run Select-Statement", ex); throw new SecurityException("Could not run Select-Statement", ex);
} }
} }
} }
static String disarmString(String s){ private static PreparedStatement prepare(Connection connection, String qry, Object... objects) throws SQLException{
return s.replace("'", ""); PreparedStatement st = connection.prepareStatement(qry);
for(int i = 0; i < objects.length; i++){
st.setObject(i+1, objects);
}
return st;
} }
static Integer booleanToInt(boolean b){ private static void sqlException(){
if(b) close();
return 1; connect(url, weburl, user, password);
else
return 0;
} }
} }

Datei anzeigen

@ -14,6 +14,6 @@ public class Session {
} }
public void stopSession(){ public void stopSession(){
SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES ("+ userID + ", '" + startTime.toString() + "', NOW())"); SQL.update("INSERT INTO Session (UserID, StartTime, EndTime) VALUES (?, ?, NOW())", userID, startTime);
} }
} }

Datei anzeigen

@ -30,7 +30,6 @@ public class SteamwarUser {
private static final Map<UUID, SteamwarUser> usersByUUID = new HashMap<>(); private static final Map<UUID, SteamwarUser> usersByUUID = new HashMap<>();
private static final Map<Integer, SteamwarUser> usersById = new HashMap<>(); private static final Map<Integer, SteamwarUser> usersById = new HashMap<>();
private static final Timestamp PERMA_BAN = Timestamp.from(Instant.ofEpochSecond(946684800)); private static final Timestamp PERMA_BAN = Timestamp.from(Instant.ofEpochSecond(946684800));
private static final String SELECT_UUID = "SELECT * FROM UserData WHERE UUID = '";
private SteamwarUser(ResultSet rs) throws SQLException { private SteamwarUser(ResultSet rs) throws SQLException {
id = rs.getInt("id"); id = rs.getInt("id");
@ -51,14 +50,14 @@ public class SteamwarUser {
SteamwarUser user = SteamwarUser.get(connection.getUniqueId()); SteamwarUser user = SteamwarUser.get(connection.getUniqueId());
if(user != null){ if(user != null){
String userName = SQL.disarmString(connection.getName()); String userName = connection.getName();
if(!user.userName.equals(userName)){ if(!user.userName.equals(userName)){
SQL.update("UPDATE UserData SET UserName = '" + userName + "' WHERE id = " + user.id); SQL.update("UPDATE UserData SET UserName = ? WHERE id = ?", userName, user.id);
user.userName = userName; user.userName = userName;
} }
}else{ }else{
SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES ('" + connection.getUniqueId() + "', '" + connection.getName() + "', 'Member')"); SQL.update("INSERT INTO UserData (UUID, UserName, UserGroup) VALUES (?, ?, 'Member')", connection.getUniqueId().toString(), connection.getName());
user = dbInit(SQL.select(SELECT_UUID + connection.getUniqueId().toString() + "'")); user = dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", connection.getUniqueId()));
if(user == null) if(user == null)
throw new SecurityException("user == null"); throw new SecurityException("user == null");
} }
@ -67,16 +66,16 @@ public class SteamwarUser {
} }
public static SteamwarUser get(String userName){ public static SteamwarUser get(String userName){
userName = SQL.disarmString(userName).toLowerCase(); userName = userName.toLowerCase();
if(usersByName.containsKey(userName)) if(usersByName.containsKey(userName))
return usersByName.get(userName); return usersByName.get(userName);
return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = '" + userName + "'")); return dbInit(SQL.select("SELECT * FROM UserData WHERE lower(UserName) = ?", userName));
} }
public static SteamwarUser get(UUID uuid){ public static SteamwarUser get(UUID uuid){
if(usersByUUID.containsKey(uuid)) if(usersByUUID.containsKey(uuid))
return usersByUUID.get(uuid); return usersByUUID.get(uuid);
return dbInit(SQL.select(SELECT_UUID + uuid.toString() + "'")); return dbInit(SQL.select("SELECT * FROM UserData WHERE UUID = ?", uuid.toString()));
} }
public static SteamwarUser get(ProxiedPlayer player){ public static SteamwarUser get(ProxiedPlayer player){
@ -86,7 +85,7 @@ public class SteamwarUser {
public static SteamwarUser get(int id){ public static SteamwarUser get(int id){
if(usersById.containsKey(id)) if(usersById.containsKey(id))
return usersById.get(id); return usersById.get(id);
return dbInit(SQL.select("SELECT * FROM UserData WHERE id = " + id)); return dbInit(SQL.select("SELECT * FROM UserData WHERE id = ?", id));
} }
public static void clearCache(){ public static void clearCache(){
@ -96,17 +95,12 @@ public class SteamwarUser {
} }
public void setWebpw(String password){ public void setWebpw(String password){
SQL.webupdate("INSERT INTO User\n" + SQL.webupdate("INSERT INTO User (UID, WebPassword) VALUES (?, password(?)) ON DUPLICATE KEY UPDATE WebPassword = VALUES(WebPassword)", id, password);
" (UID, WebPassword)\n" +
"VALUES\n" +
" (" + id + ", password('"+ SQL.disarmString(password) + "'))\n" +
"ON DUPLICATE KEY UPDATE\n" +
" WebPassword = VALUES(WebPassword)");
} }
public void setTeam(int team){ public void setTeam(int team){
this.team = team; this.team = team;
SQL.update("Update UserData SET Team = " + team + " WHERE id = " + id); SQL.update("Update UserData SET Team = ? WHERE id = ?", team, id);
} }
public int getId() { public int getId() {
@ -135,8 +129,8 @@ public class SteamwarUser {
} else if (banTime.after(new Date()) || banTime.before(PERMA_BAN)) { } else if (banTime.after(new Date()) || banTime.before(PERMA_BAN)) {
return true; return true;
} else { } else {
SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = " + id); SQL.update("UPDATE UserData SET BanTime = NULL, BanReason = '' WHERE id = ?", id);
SQL.update("DELETE FROM BannedUserIPs WHERE UserID = '" + getId() + "'"); SQL.update("DELETE FROM BannedUserIPs WHERE UserID = ?", id);
banTime = null; banTime = null;
banReason = ""; banReason = "";
return false; return false;
@ -149,7 +143,7 @@ public class SteamwarUser {
}else if(muteTime.after(new Date()) || muteTime.before(PERMA_BAN)){ }else if(muteTime.after(new Date()) || muteTime.before(PERMA_BAN)){
return true; return true;
}else{ }else{
SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = " + id); SQL.update("UPDATE UserData SET MuteTime = NULL, MuteReason = '' WHERE id = ?", id);
muteTime = null; muteTime = null;
muteReason = ""; muteReason = "";
return false; return false;
@ -179,7 +173,7 @@ public class SteamwarUser {
} }
public void ban(Timestamp time, String banReason){ public void ban(Timestamp time, String banReason){
SQL.update("UPDATE UserData SET BanTime = '" + time.toString() + "', BanReason = '" + banReason + "' WHERE id = " + id); SQL.update("UPDATE UserData SET BanTime = ?, BanReason = ? WHERE id = ?", time, banReason, id);
banTime = time; banTime = time;
this.banReason = banReason; this.banReason = banReason;
@ -192,7 +186,7 @@ public class SteamwarUser {
} }
public void mute(Timestamp time, String muteReason){ public void mute(Timestamp time, String muteReason){
SQL.update("UPDATE UserData SET MuteTime = '" + time.toString() + "', MuteReason = '" + muteReason + "' WHERE id = " + id); SQL.update("UPDATE UserData SET MuteTime = ?, MuteReason = ? WHERE id = ?", time, muteReason, id);
muteTime = time; muteTime = time;
this.muteReason = muteReason; this.muteReason = muteReason;
} }

Datei anzeigen

@ -32,10 +32,7 @@ public class Team {
} }
public static void create(String kuerzel, String name, int leader){ public static void create(String kuerzel, String name, int leader){
SQL.update("INSERT INTO Team" + SQL.update("INSERT INTO Team (TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?)", kuerzel, name, leader);
" (TeamKuerzel, TeamName, TeamLeader)" +
" VALUES" +
" ('" + kuerzel + "', '" + name + "', '" + leader + "')");
} }
public static Team get(int id){ public static Team get(int id){
@ -46,7 +43,7 @@ public class Team {
for(Team team : teamCache) for(Team team : teamCache)
if(team.teamId == id) if(team.teamId == id)
return team; return team;
return load(select("SELECT * FROM Team WHERE TeamID = " + id)); return load(select("SELECT * FROM Team WHERE TeamID = ?", id));
} }
public static Team get(String name){ public static Team get(String name){
@ -56,7 +53,7 @@ public class Team {
for(Team team : teamCache) for(Team team : teamCache)
if(team.teamKuerzel.equalsIgnoreCase(name)) if(team.teamKuerzel.equalsIgnoreCase(name))
return team; return team;
return load(select("SELECT * FROM Team WHERE (lower(TeamName) = '" + SQL.disarmString(name).toLowerCase() + "' OR lower(TeamKuerzel) = '" + SQL.disarmString(name).toLowerCase() + "') AND NOT TeamDeleted")); return load(select("SELECT * FROM Team WHERE (lower(TeamName) = ? OR lower(TeamKuerzel) = ?) AND NOT TeamDeleted", name.toLowerCase(), name.toLowerCase()));
} }
public static List<Team> getAll(){ public static List<Team> getAll(){
@ -90,12 +87,7 @@ public class Team {
} }
private void updateDB(){ private void updateDB(){
SQL.update("INSERT INTO Team" + SQL.update("INSERT INTO Team (TeamID, TeamKuerzel, TeamName, TeamLeader) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)", teamId, teamKuerzel, teamName, teamLeader);
" (TeamID, TeamKuerzel, TeamName, TeamLeader)" +
" VALUES" +
" ('" + teamId + "', '" + teamKuerzel + "', '" + teamName + "', '" + teamLeader + "')" +
" ON DUPLICATE KEY UPDATE" +
" TeamName = VALUES(TeamName), TeamKuerzel = VALUES(TeamKuerzel), TeamLeader = VALUES(TeamLeader)");
} }
public int getTeamId() { public int getTeamId() {
@ -107,7 +99,7 @@ public class Team {
} }
public void setTeamKuerzel(String teamKuerzel) { public void setTeamKuerzel(String teamKuerzel) {
this.teamKuerzel = SQL.disarmString(teamKuerzel); this.teamKuerzel = teamKuerzel;
updateDB(); updateDB();
} }
@ -116,7 +108,7 @@ public class Team {
} }
public void setTeamName(String teamName) { public void setTeamName(String teamName) {
this.teamName = SQL.disarmString(teamName); this.teamName = teamName;
updateDB(); updateDB();
} }
@ -130,7 +122,7 @@ public class Team {
} }
public int size(){ public int size(){
ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = " + teamId); ResultSet rs = select("SELECT COUNT(id) FROM UserData WHERE Team = ?", teamId);
try { try {
rs.next(); rs.next();
return rs.getInt("COUNT(id)"); return rs.getInt("COUNT(id)");
@ -141,13 +133,13 @@ public class Team {
} }
public void disband(){ public void disband(){
SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = " + teamId); SQL.update("UPDATE Team SET TeamDeleted = 1, TeamLeader = NULL WHERE TeamID = ?", teamId);
teamCache.remove(this); teamCache.remove(this);
} }
public List<Integer> getMembers(){ public List<Integer> getMembers(){
try{ try{
ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = '" + teamId + "'"); ResultSet memberlist = select("SELECT id FROM UserData WHERE Team = ?", teamId);
List<Integer> members = new ArrayList<>(); List<Integer> members = new ArrayList<>();
while(memberlist.next()){ while(memberlist.next()){
members.add(memberlist.getInt("id")); members.add(memberlist.getInt("id"));

Datei anzeigen

@ -11,15 +11,15 @@ public class TeamTeilnahme {
private TeamTeilnahme(){} private TeamTeilnahme(){}
public static void teilnehmen(int teamID, int eventID){ public static void teilnehmen(int teamID, int eventID){
SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (" + teamID + "," + eventID + ")"); SQL.update("INSERT INTO TeamTeilnahme (TeamID, EventID) VALUES (?, ?)", teamID, eventID);
} }
public static void notTeilnehmen(int teamID, int eventID){ public static void notTeilnehmen(int teamID, int eventID){
SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID); SQL.update("DELETE FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID);
} }
public static boolean nimmtTeil(int teamID, int eventID){ public static boolean nimmtTeil(int teamID, int eventID){
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID + " AND EventID = " + eventID); ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ? AND EventID = ?", teamID, eventID);
try{ try{
return rs.next(); return rs.next();
}catch (SQLException e){ }catch (SQLException e){
@ -30,7 +30,7 @@ public class TeamTeilnahme {
public static Set<Team> getTeams(int eventID){ public static Set<Team> getTeams(int eventID){
Set<Team> teams = new HashSet<>(); Set<Team> teams = new HashSet<>();
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = " + eventID); ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE EventID = ?", eventID);
try{ try{
while(rs.next()) while(rs.next())
teams.add(Team.get(rs.getInt("TeamID"))); teams.add(Team.get(rs.getInt("TeamID")));
@ -42,7 +42,7 @@ public class TeamTeilnahme {
public static Set<Event> getEvents(int teamID){ public static Set<Event> getEvents(int teamID){
Set<Event> events = new HashSet<>(); Set<Event> events = new HashSet<>();
ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = " + teamID); ResultSet rs = SQL.select("SELECT * FROM TeamTeilnahme WHERE TeamID = ?", teamID);
try{ try{
while(rs.next()) while(rs.next())
events.add(Event.get(rs.getInt("EventID"))); events.add(Event.get(rs.getInt("EventID")));