SteamWar/SpigotCore
SteamWar/SpigotCore
Archiviert
13
0
Fork 0
Code Issues 4 Pull-Requests 1 Releases Wiki Aktivität

Rework SQL statements to actually use PreparedStatements for security reasons

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Lixfel 2020-02-07 16:45:02 +01:00
Ursprung a6d5e70f46
Commit 151ec960bb
14 geänderte Dateien mit 96 neuen und 125 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Vergleichs-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

14
SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java
Datei anzeigen

@ -36,17 +36,13 @@ public class BauweltMember{
}
public void remove(){
SQL.update("DELETE FROM BauweltMember WHERE BauweltID = " + bauweltID + " AND MemberID = " + memberID);
SQL.update("DELETE FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", bauweltID, memberID);
members.remove(this);
}
private void updateDB(){
SQL.update("INSERT INTO BauweltMember" +
" (BauweltID, MemberID, Build, WorldEdit, World)" +
" VALUES" +
" ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" +
" ON DUPLICATE KEY UPDATE" +
" Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)");
SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)",
bauweltID, memberID, build, worldEdit, world);
}
public static BauweltMember getBauMember(UUID ownerID, UUID memberID){
@ -57,7 +53,7 @@ public class BauweltMember{
for(BauweltMember member : members)
if(member.memberID == memberID)
return member;
ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'");
ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID);
try {
if(member == null || !member.next()){
return null;
@ -77,7 +73,7 @@ public class BauweltMember{
public static List<BauweltMember> getMembers(int bauweltID){
try{
ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'");
ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID);
List<BauweltMember> members = new LinkedList<>();
while(memberlist.next()){
int memberID = memberlist.getInt("MemberID");

13
SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java
Datei anzeigen

@ -21,12 +21,12 @@ public class CheckedSchematic {
private final String declineReason;
private CheckedSchematic(String schemName, int schemOwner, int validator, Timestamp startTime, Timestamp endTime, String declineReason, boolean insertDB){
this.schemName = SQL.disarmString(schemName);
this.schemName = schemName;
this.schemOwner = schemOwner;
this.validator = validator;
this.startTime = startTime;
this.endTime = endTime;
this.declineReason = SQL.disarmString(declineReason);
this.declineReason = declineReason;
if(insertDB)
insertDB();
}
@ -41,9 +41,8 @@ public class CheckedSchematic {
private void insertDB(){
SQL.update("INSERT INTO CheckedSchematic" +
" (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason)" +
" VALUES" +
" ('"+ schemName + "', '" + schemOwner + "', '" + validator + "', '" + startTime.toString() + "', '" + endTime.toString() + "', '" + declineReason + "')");
" (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason) VALUES (?, ?, ?, ?, ?, ?)",
schemName, schemOwner, validator, startTime, endTime, declineReason);
}
public static List<CheckedSchematic> getLastDeclined(UUID schemOwner){
@ -53,7 +52,7 @@ public class CheckedSchematic {
public static List<CheckedSchematic> getLastDelined(int schemOwner){
List<CheckedSchematic> lastDeclined = new LinkedList<>();
try{
ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = '" + schemOwner + "' AND DeclineReason != '' ORDER BY EndTime DESC");
ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = ? AND DeclineReason != '' ORDER BY EndTime DESC", schemOwner);
while(lastRS.next()){
String schemName = lastRS.getString("SchemName");
int validator = lastRS.getInt("Validator");
@ -69,7 +68,7 @@ public class CheckedSchematic {
}
public void remove() {
SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = " + this.schemOwner + " AND SchemName = '" + this.schemName + "'");
SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
}
public String getSchemName() {

4
SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java
Datei anzeigen

@ -13,7 +13,7 @@ public class DownloadSchematic {
private static final String BASE = "https://steamwar.de/download.php?schem=";
public static String getLink(Schematic schem){
ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = " + schem.getSchemID());
ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = ?", schem.getSchemID());
try {
if(rs.next())
return BASE + rs.getString("Link");
@ -30,7 +30,7 @@ public class DownloadSchematic {
cript.reset();
cript.update((Instant.now().toString() + schem.getSchemOwner() + schem.getSchemID()).getBytes());
String hash = DatatypeConverter.printHexBinary(cript.digest());
SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (" + schem.getSchemID() + ", '" + hash + "')");
SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (?, ?)", schem.getSchemID(), hash);
return BASE + hash;
}
}

18
SpigotCore_Main/src/de/steamwar/sql/Event.java
Datei anzeigen

@ -16,22 +16,22 @@ public class Event {
private final int maximumTeamMembers;
private final boolean publicSchemsOnly;
private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){
this.eventID = eventID;
this.eventName = eventName;
this.start = start;
this.end = end;
this.maximumTeamMembers = maximumTeamMembers;
this.publicSchemsOnly = publicSchemsOnly;
private Event(ResultSet rs) throws SQLException{
this.eventID = rs.getInt("EventID");
this.eventName = rs.getString("EventName");
this.start = rs.getTimestamp("Start");
this.end = rs.getTimestamp("End");
this.maximumTeamMembers = rs.getInt("MaximumTeamMembers");
this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly");
}
public static Event get(int eventID){
ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = " + eventID);
ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = ?", eventID);
try{
if(!rs.next())
throw new IllegalArgumentException();
return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"));
return new Event(rs);
}catch (SQLException e){
Bukkit.getLogger().log(Level.SEVERE, "Failed to load Event", e);
throw new SecurityException();

24
SpigotCore_Main/src/de/steamwar/sql/EventFight.java
Datei anzeigen

@ -14,26 +14,20 @@ public class EventFight {
private int kampfleiter;
private int ergebnis;
private EventFight(int eventID, int fightID, int teamBlue, int teamRed, int kampfleiter, int ergebnis){
this.eventID = eventID;
this.fightID = fightID;
this.teamBlue = teamBlue;
this.teamRed = teamRed;
this.kampfleiter = kampfleiter;
this.ergebnis = ergebnis;
private EventFight(ResultSet rs) throws SQLException{
this.eventID = rs.getInt("EventID");
this.fightID = rs.getInt("FightID");
this.teamBlue = rs.getInt("TeamBlue");
this.teamRed = rs.getInt("TeamRed");
this.kampfleiter = rs.getInt("Kampfleiter");
this.ergebnis = rs.getInt("Ergebnis");
}
public static EventFight get(int fightID){
ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE FightID = " + fightID);
try{
rs.next();
return new EventFight(
rs.getInt("EventID"),
fightID,
rs.getInt("TeamBlue"),
rs.getInt("TeamRed"),
rs.getInt("Kampfleiter"),
rs.getInt("Ergebnis"));
return new EventFight(rs);
}catch (SQLException e){
Bukkit.getLogger().log(Level.SEVERE, "Failed to load EventFight", e);
}
@ -41,7 +35,7 @@ public class EventFight {
}
public void setErgebnis(int winner){
SQL.update("UPDATE EventFight SET Ergebnis = " + winner + " WHERE FightID = " + fightID);
SQL.update("UPDATE EventFight SET Ergebnis = ? WHERE FightID = ?", winner, fightID);
}
public int getTeamBlue() {

5
SpigotCore_Main/src/de/steamwar/sql/Fight.java
Datei anzeigen

@ -8,9 +8,8 @@ public class Fight {
private Fight(){}
public static int create(String gamemode, String arena, Timestamp starttime, int duration, int blueleader, int redleader, int blueschem, int redschem, int win, String wincondition){
SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (" +
"'" + SQL.disarmString(gamemode) + "', '" + SQL.disarmString(arena) + "', '" + starttime.toString() + "', " + duration + ", " + blueleader + ", " + redleader + ", " + blueschem + ", " + redschem + ", " + win + ", '" + SQL.disarmString(wincondition) + "'" +
")");
SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
gamemode, arena, starttime, duration, blueleader, redleader,blueschem, redschem, win, wincondition);
ResultSet rs = SQL.select("SELECT LAST_INSERT_ID() AS FightID");
try{
if(!rs.next())

5
SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java
Datei anzeigen

@ -4,8 +4,7 @@ public class FightPlayer {
private FightPlayer(){}
public static void create(int fightID, int userID, String kit, int kills, boolean isOut){
SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (" +
fightID + ", " + userID + ", '" + SQL.disarmString(kit) + "', " + kills + ", " + SQL.booleanToInt(isOut) +
")");
SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (?, ?, ?, ?, ?)",
fightID, userID, kit, kills, isOut);
}
}

10
SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java
Datei anzeigen

@ -23,7 +23,7 @@ public class PersonalKit {
}
public static PersonalKit get(int userID, String gamemode){
ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = '" + userID + "' AND GameMode = '" + SQL.disarmString(gamemode) + "'");
ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = ? AND GameMode = ?", userID, gamemode);
try {
if(!rs.next())
return null;
@ -41,12 +41,8 @@ public class PersonalKit {
YamlConfiguration armorConfig = new YamlConfiguration();
armorConfig.set("Armor", armor);
SQL.update("INSERT INTO PersonalKit" +
" (UserID, GameMode, Inventory, Armor)" +
" VALUES" +
" ('" + userID + "', '" + gamemode + "', '" + SQL.disarmString(inventoryConfig.saveToString()) + "', '" + SQL.disarmString(armorConfig.saveToString()) + "')" +
" ON DUPLICATE KEY UPDATE" +
" Inventory = VALUES(Inventory), Armor = VALUES(Armor)");
SQL.update("INSERT INTO PersonalKit (UserID, GameMode, Inventory, Armor) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Inventory = VALUES(Inventory), Armor = VALUES(Armor)",
userID, gamemode, inventoryConfig.saveToString(), armorConfig.saveToString());
return get(userID, gamemode);
}

49
SpigotCore_Main/src/de/steamwar/sql/SQL.java
Datei anzeigen

@ -33,13 +33,6 @@ public class SQL {
connect();
}
static Integer booleanToInt(boolean b){
if(b)
return 1;
else
return 0;
}
public static void closeConnection() {
try {
@ -48,45 +41,53 @@ public class SQL {
throw new SecurityException("Could not close connection", e);
}
}
static Connection getCon(){
return con;
}
static void update(String qry) {
static void update(String qry, Object... objects) {
try {
PreparedStatement st = con.prepareStatement(qry);
st.executeUpdate();
prepare(qry, objects).executeUpdate();
} catch (SQLException e) {
reconnect();
try {
PreparedStatement st = con.prepareStatement(qry);
st.executeUpdate();
prepare(qry, objects).executeUpdate();
} catch (SQLException ex) {
throw new SecurityException("Could not perform update", ex);
}
}
}
static ResultSet select(String qry) {
static ResultSet select(String qry, Object... objects){
try {
PreparedStatement st = con.prepareStatement(qry);
return st.executeQuery();
return prepare(qry, objects).executeQuery();
} catch (SQLException e) {
reconnect();
try {
PreparedStatement st = con.prepareStatement(qry);
return st.executeQuery();
return prepare(qry, objects).executeQuery();
} catch (SQLException ex) {
throw new SecurityException("Could not perform select", ex);
}
}
}
static String disarmString(String s){
return s.replace("'", "");
static Blob blob(){
try {
return con.createBlob();
} catch (SQLException e) {
reconnect();
try {
return con.createBlob();
} catch (SQLException ex) {
throw new SecurityException("Could not create blob", ex);
}
}
}
private static PreparedStatement prepare(String qry, Object... objects) throws SQLException{
PreparedStatement st = con.prepareStatement(qry);
for(int i = 0; i < objects.length; i++){
st.setObject(i+1, objects[i]);
}
return st;
}
private static void connect() {
try {

5
SpigotCore_Main/src/de/steamwar/sql/SWException.java
Datei anzeigen

@ -13,7 +13,7 @@ public class SWException {
if(logDisabled)
return;
String server = SQL.disarmString(Bukkit.getWorlds().get(0).getName());
String server = Bukkit.getWorlds().get(0).getName();
StringBuilder stacktrace = new StringBuilder(logEvent.getSource().toString());
Throwable throwable = logEvent.getThrown();
@ -40,6 +40,7 @@ public class SWException {
for(Player player : Bukkit.getOnlinePlayers())
message += player.getName() + " ";
SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES ('" + server + "', '" + SQL.disarmString(message) + "', '" + SQL.disarmString(stacktrace.toString()) + "')");
SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES (?, ?, ?)",
server, message, stacktrace.toString());
}
}

44
SpigotCore_Main/src/de/steamwar/sql/Schematic.java
Datei anzeigen

@ -4,11 +4,9 @@ import com.sk89q.worldedit.extent.clipboard.Clipboard;
import de.steamwar.core.Core;
import org.bukkit.entity.Player;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.sql.Blob;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
@ -42,12 +40,8 @@ public class Schematic {
}
public static void createSchem(String schemName, int schemOwner, String item, SchematicType schemType){
SQL.update("INSERT INTO Schematic" +
" (SchemName, SchemOwner, Item, SchemType)" +
" VALUES" +
" ('" + schemName + "', '" + schemOwner + "', '" + item + "', '" + schemType.toDB() + "')" +
" ON DUPLICATE KEY UPDATE" +
" Item = VALUES(Item), SchemType = VALUES(SchemType)");
SQL.update("INSERT INTO Schematic (SchemName, SchemOwner, Item, SchemType) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Item = VALUES(Item), SchemType = VALUES(SchemType)",
schemName, schemOwner, item, schemType.toDB());
}
public static Schematic getSchemFromDB(String schemName, UUID schemOwner){
@ -55,8 +49,7 @@ public class Schematic {
}
public static Schematic getSchemFromDB(String schemName, int schemOwner){
schemName = SQL.disarmString(schemName);
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner);
try {
if(schematic == null || !schematic.next()){
SchematicMember member = SchematicMember.getMemberBySchematic(schemName, schemOwner);
@ -77,7 +70,7 @@ public class Schematic {
public static List<Schematic> getSchemsAccessibleByUser(int schemOwner){
try{
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = '" + schemOwner + "' ORDER BY SchemName");
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = ? ORDER BY SchemName", schemOwner);
List<Schematic> schematics = new ArrayList<>();
while(schematic.next()){
schematics.add(new Schematic(schematic));
@ -107,7 +100,7 @@ public class Schematic {
public static List<Schematic> getAllSchemsOfType(SchematicType schemType){
try{
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = '" + schemType.toDB() + "'");
ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = ?", schemType.toDB());
List<Schematic> schematics = new ArrayList<>();
while(schematic.next()){
schematics.add(new Schematic(schematic));
@ -156,7 +149,7 @@ public class Schematic {
if(Core.getVersion() <= 12 && schemFormat)
throw new WrongVersionException();
ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID);
ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID);
try {
rs.next();
Blob schemData = rs.getBlob("SchemData");
@ -186,7 +179,7 @@ public class Schematic {
if(Core.getVersion() <= 12 && schemFormat)
throw new WrongVersionException();
ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID);
ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID);
try {
rs.next();
Blob blob = rs.getBlob("SchemData");
@ -227,34 +220,31 @@ public class Schematic {
private void saveFromPlayer(Player player, boolean newFormat) throws IOException, NoClipboardException {
try{
PreparedStatement st = SQL.getCon().prepareStatement("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = " + schemID);
byte[] data;
Blob blob = SQL.blob();
switch(Core.getVersion()){
case 8:
newFormat = false;
data = Schematic_8.getPlayerClipboard(player);
blob.setBytes(1, Schematic_8.getPlayerClipboard(player));
break;
case 9:
newFormat = false;
data = Schematic_9.getPlayerClipboard(player);
blob.setBytes(1, Schematic_9.getPlayerClipboard(player));
break;
case 10:
newFormat = false;
data = Schematic_10.getPlayerClipboard(player);
blob.setBytes(1, Schematic_10.getPlayerClipboard(player));
break;
case 14:
data = Schematic_14.getPlayerClipboard(player, newFormat);
blob.setBytes(1, Schematic_14.getPlayerClipboard(player, newFormat));
break;
case 15:
data = Schematic_15.getPlayerClipboard(player, newFormat);
blob.setBytes(1, Schematic_15.getPlayerClipboard(player, newFormat));
break;
default:
newFormat = false;
data = Schematic_12.getPlayerClipboard(player);
blob.setBytes(1, Schematic_12.getPlayerClipboard(player));
}
st.setBlob(1, new ByteArrayInputStream(data));
st.setBoolean(2, newFormat);
st.executeUpdate();
SQL.update("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = ?", blob, newFormat, schemID);
schemFormat = newFormat;
}catch(SQLException e){
throw new IOException(e);
@ -262,8 +252,8 @@ public class Schematic {
}
public void remove(){
SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'");
SQL.update("DELETE FROM Schematic WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'");
SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
SQL.update("DELETE FROM Schematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
}
public static class WrongVersionException extends Exception{}

15
SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java
Datei anzeigen

@ -28,10 +28,7 @@ public class SchematicMember {
}
private void updateDB(){
SQL.update("INSERT INTO SchemMember" +
" (SchemName, SchemOwner, Member)" +
" VALUES" +
" ('" + schemName + "', '" + schemOwner + "', '" + member + "')");
SQL.update("INSERT INTO SchemMember (SchemName, SchemOwner, Member) VALUES (?, ?, ?)", schemName, schemOwner, member);
}
public static SchematicMember getSchemMemberFromDB(String schemName, UUID schemOwner, UUID schemMember){
@ -39,7 +36,7 @@ public class SchematicMember {
}
public static SchematicMember getSchemMemberFromDB(String schemName, int schemOwner, int schemMember){
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "' AND Member = '" + schemMember + "'");
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ? AND Member = ?", schemName, schemOwner, schemMember);
try {
if(schematicMember == null || !schematicMember.next()){
return null;
@ -51,7 +48,7 @@ public class SchematicMember {
}
public static SchematicMember getMemberBySchematic(String schemName, int schemMember){
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND Member = '" + schemMember + "'");
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND Member = ?", schemName, schemMember);
try {
if(schematicMember == null || !schematicMember.next()){
return null;
@ -68,7 +65,7 @@ public class SchematicMember {
}
public static List<SchematicMember> getSchemMembers(String schemName, int schemOwner){
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner);
try {
List<SchematicMember> schematicMembers = new ArrayList<>();
while(schematicMember.next()){
@ -86,7 +83,7 @@ public class SchematicMember {
}
public static List<SchematicMember> getAccessibleSchems(int schemMember){
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = '" + schemMember + "'");
ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = ?", schemMember);
try {
List<SchematicMember> schematicMembers = new ArrayList<>();
while(schematicMember.next()){
@ -113,6 +110,6 @@ public class SchematicMember {
}
public void remove(){
SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "' AND Member = '" + member + "'");
SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ? AND Member = ?", schemOwner, schemName, member);
}
}

11
SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java
Datei anzeigen

@ -63,8 +63,8 @@ public class SteamwarUser {
return team;
}
private static SteamwarUser fromDB(String statement){
ResultSet rs = SQL.select(statement);
private static SteamwarUser fromDB(String statement, Object identifier){
ResultSet rs = SQL.select(statement, identifier);
try {
if(rs.next())
return new SteamwarUser(rs);
@ -75,24 +75,23 @@ public class SteamwarUser {
}
public static SteamwarUser get(String userName){
userName = SQL.disarmString(userName);
SteamwarUser user = byName.get(userName.toLowerCase());
if(user == null)
user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = '" + userName.toLowerCase() + "'");
user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = ?", userName.toLowerCase());
return user;
}
public static SteamwarUser get(UUID uuid){
SteamwarUser user = byUUID.get(uuid);
if(user == null)
user = fromDB("SELECT * FROM UserData WHERE UUID = '" + uuid.toString() + "'");
user = fromDB("SELECT * FROM UserData WHERE UUID = ?", uuid.toString());
return user;
}
public static SteamwarUser get(int id) {
SteamwarUser user = byId.get(id);
if(user == null)
user = fromDB("SELECT * FROM UserData WHERE id = '" + id + "'");
user = fromDB("SELECT * FROM UserData WHERE id = ?", id);
return user;
}
}

4
SpigotCore_Main/src/de/steamwar/sql/Team.java
Datei anzeigen

@ -27,7 +27,7 @@ public class Team {
public static Team get(int id){
if(id == 0)
return pub;
ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = " + id);
ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = ?", id);
try {
if(!rs.next())
return null;
@ -55,7 +55,7 @@ public class Team {
public List<Integer> getMembers(){
try{
ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = '" + teamId + "'");
ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = ?", teamId);
List<Integer> members = new LinkedList<>();
while(memberlist.next())
members.add(memberlist.getInt("id"));