From 0771622e099ef4374615f4bd1838124c69582b6e Mon Sep 17 00:00:00 2001 From: Lixfel Date: Tue, 23 Apr 2019 18:02:46 +0200 Subject: [PATCH] Fixing potential SQL injection vectors --- src/de/warking/hunjy/MySQL/MySQL.java | 6 +++++- src/de/warking/hunjy/MySQL/Schematic.java | 1 + src/de/warking/hunjy/MySQL/WarkingUser.java | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/de/warking/hunjy/MySQL/MySQL.java b/src/de/warking/hunjy/MySQL/MySQL.java index 88bc1c6..928c745 100644 --- a/src/de/warking/hunjy/MySQL/MySQL.java +++ b/src/de/warking/hunjy/MySQL/MySQL.java @@ -98,7 +98,11 @@ public class MySQL { return null; } - + + public static String disarmString(String s){ + return s.replace("'", ""); + } + public Connection getCon() { return con; } diff --git a/src/de/warking/hunjy/MySQL/Schematic.java b/src/de/warking/hunjy/MySQL/Schematic.java index c58073c..bb306d0 100644 --- a/src/de/warking/hunjy/MySQL/Schematic.java +++ b/src/de/warking/hunjy/MySQL/Schematic.java @@ -46,6 +46,7 @@ public class Schematic { } public static Schematic getSchemFromDB(String schemName, int schemOwner){ + schemName = MySQL.disarmString(schemName); ResultSet schematic = sql.select("SELECT * FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'"); try { if(schematic == null || !schematic.next()){ diff --git a/src/de/warking/hunjy/MySQL/WarkingUser.java b/src/de/warking/hunjy/MySQL/WarkingUser.java index 4baf04c..28a0311 100644 --- a/src/de/warking/hunjy/MySQL/WarkingUser.java +++ b/src/de/warking/hunjy/MySQL/WarkingUser.java @@ -63,6 +63,7 @@ public class WarkingUser { } public static WarkingUser get(String userName){ + userName = MySQL.disarmString(userName); for(WarkingUser user : allUsers) if(user.UserName.equalsIgnoreCase(userName)) return user;