Fixing potential SQL injection vectors

2019-04-23 18:02:46 +02:00 · 2019-04-23 18:02:46 +02:00 · 0771622e09
Commit 0771622e09
--- a/src/de/warking/hunjy/MySQL/MySQL.java
+++ b/src/de/warking/hunjy/MySQL/MySQL.java
@ -98,7 +98,11 @@ public class MySQL {
 		
 		return null;
 	}
-	
+
+	public static String disarmString(String s){
+		return s.replace("'", "");
+	}
+
 	public Connection getCon() {
 		return con;
 	}
--- a/src/de/warking/hunjy/MySQL/Schematic.java
+++ b/src/de/warking/hunjy/MySQL/Schematic.java
@ -46,6 +46,7 @@ public class Schematic {
 	}

 	public static Schematic getSchemFromDB(String schemName, int schemOwner){
+		schemName = MySQL.disarmString(schemName);
 		ResultSet schematic = sql.select("SELECT * FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
 		try {
 			if(schematic == null || !schematic.next()){
--- a/src/de/warking/hunjy/MySQL/WarkingUser.java
+++ b/src/de/warking/hunjy/MySQL/WarkingUser.java
@ -63,6 +63,7 @@ public class WarkingUser {
 	}

 	public static WarkingUser get(String userName){
+		userName = MySQL.disarmString(userName);
 		for(WarkingUser user : allUsers)
 			if(user.UserName.equalsIgnoreCase(userName))
 				return user;