Fixing potential SQL injection vectors
Dieser Commit ist enthalten in:
Ursprung
7997703c0a
Commit
0771622e09
@ -99,6 +99,10 @@ public class MySQL {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static String disarmString(String s){
|
||||||
|
return s.replace("'", "");
|
||||||
|
}
|
||||||
|
|
||||||
public Connection getCon() {
|
public Connection getCon() {
|
||||||
return con;
|
return con;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -46,6 +46,7 @@ public class Schematic {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static Schematic getSchemFromDB(String schemName, int schemOwner){
|
public static Schematic getSchemFromDB(String schemName, int schemOwner){
|
||||||
|
schemName = MySQL.disarmString(schemName);
|
||||||
ResultSet schematic = sql.select("SELECT * FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
|
ResultSet schematic = sql.select("SELECT * FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
|
||||||
try {
|
try {
|
||||||
if(schematic == null || !schematic.next()){
|
if(schematic == null || !schematic.next()){
|
||||||
|
|||||||
@ -63,6 +63,7 @@ public class WarkingUser {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static WarkingUser get(String userName){
|
public static WarkingUser get(String userName){
|
||||||
|
userName = MySQL.disarmString(userName);
|
||||||
for(WarkingUser user : allUsers)
|
for(WarkingUser user : allUsers)
|
||||||
if(user.UserName.equalsIgnoreCase(userName))
|
if(user.UserName.equalsIgnoreCase(userName))
|
||||||
return user;
|
return user;
|
||||||
|
|||||||
In neuem Issue referenzieren
Einen Benutzer sperren