Rework SQL statements to actually use PreparedStatements for security reasons

SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java

@@ -36,17 +36,13 @@ public class BauweltMember{
     }
 
     public void remove(){
-        SQL.update("DELETE FROM BauweltMember WHERE BauweltID = " + bauweltID + " AND MemberID = " + memberID);
+        SQL.update("DELETE FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", bauweltID, memberID);
         members.remove(this);
     }
 
     private void updateDB(){
-        SQL.update("INSERT INTO BauweltMember" +
+        SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)",
-                " (BauweltID, MemberID, Build, WorldEdit, World)" +
+                bauweltID, memberID, build, worldEdit, world);
-                " VALUES" +
-                " ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" +
-                " ON DUPLICATE KEY UPDATE" +
-                " Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)");
     }
 
     public static BauweltMember getBauMember(UUID ownerID, UUID memberID){
@@ -57,7 +53,7 @@ public class BauweltMember{
         for(BauweltMember member : members)
             if(member.memberID == memberID)
                 return member;
-        ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'");
+        ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID);
         try {
             if(member == null || !member.next()){
                 return null;
@@ -77,7 +73,7 @@ public class BauweltMember{
 
     public static List<BauweltMember> getMembers(int bauweltID){
         try{
-            ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'");
+            ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID);
             List<BauweltMember> members = new LinkedList<>();
             while(memberlist.next()){
                 int memberID = memberlist.getInt("MemberID");

SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java

@@ -21,12 +21,12 @@ public class CheckedSchematic {
     private final String declineReason;
 
     private CheckedSchematic(String schemName, int schemOwner, int validator, Timestamp startTime, Timestamp endTime, String declineReason, boolean insertDB){
-        this.schemName = SQL.disarmString(schemName);
+        this.schemName = schemName;
         this.schemOwner = schemOwner;
         this.validator = validator;
         this.startTime = startTime;
         this.endTime = endTime;
-        this.declineReason = SQL.disarmString(declineReason);
+        this.declineReason = declineReason;
         if(insertDB)
             insertDB();
     }
@@ -41,9 +41,8 @@ public class CheckedSchematic {
 
     private void insertDB(){
         SQL.update("INSERT INTO CheckedSchematic" +
-                " (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason)" +
+                " (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason) VALUES (?, ?, ?, ?, ?, ?)",
-                " VALUES" +
+                schemName, schemOwner, validator, startTime, endTime, declineReason);
-                " ('"+ schemName + "', '" + schemOwner + "', '" + validator + "', '" + startTime.toString() + "', '" + endTime.toString() + "', '" + declineReason + "')");
     }
 
     public static List<CheckedSchematic> getLastDeclined(UUID schemOwner){
@@ -53,7 +52,7 @@ public class CheckedSchematic {
     public static List<CheckedSchematic> getLastDelined(int schemOwner){
         List<CheckedSchematic> lastDeclined = new LinkedList<>();
         try{
-            ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = '" + schemOwner + "' AND DeclineReason != '' ORDER BY EndTime DESC");
+            ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = ? AND DeclineReason != '' ORDER BY EndTime DESC", schemOwner);
             while(lastRS.next()){
                 String schemName = lastRS.getString("SchemName");
                 int validator = lastRS.getInt("Validator");
@@ -69,7 +68,7 @@ public class CheckedSchematic {
     }
 
     public void remove() {
-        SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = " + this.schemOwner + " AND SchemName = '" + this.schemName + "'");
+        SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
     }
 
     public String getSchemName() {

SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java

@@ -13,7 +13,7 @@ public class DownloadSchematic {
     private static final String BASE = "https://steamwar.de/download.php?schem=";
 
     public static String getLink(Schematic schem){
-        ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = " + schem.getSchemID());
+        ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = ?", schem.getSchemID());
         try {
             if(rs.next())
                 return BASE + rs.getString("Link");
@@ -30,7 +30,7 @@ public class DownloadSchematic {
         cript.reset();
         cript.update((Instant.now().toString() + schem.getSchemOwner() + schem.getSchemID()).getBytes());
         String hash = DatatypeConverter.printHexBinary(cript.digest());
-        SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (" + schem.getSchemID() + ", '" + hash + "')");
+        SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (?, ?)", schem.getSchemID(), hash);
         return BASE + hash;
     }
 }

SpigotCore_Main/src/de/steamwar/sql/Event.java

@@ -16,22 +16,22 @@ public class Event {
     private final int maximumTeamMembers;
     private final boolean publicSchemsOnly;
 
-    private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){
+    private Event(ResultSet rs) throws SQLException{
-        this.eventID = eventID;
+        this.eventID = rs.getInt("EventID");
-        this.eventName = eventName;
+        this.eventName = rs.getString("EventName");
-        this.start = start;
+        this.start = rs.getTimestamp("Start");
-        this.end = end;
+        this.end = rs.getTimestamp("End");
-        this.maximumTeamMembers = maximumTeamMembers;
+        this.maximumTeamMembers = rs.getInt("MaximumTeamMembers");
-        this.publicSchemsOnly = publicSchemsOnly;
+        this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly");
     }
 
     public static Event get(int eventID){
-        ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = " + eventID);
+        ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = ?", eventID);
         try{
             if(!rs.next())
                 throw new IllegalArgumentException();
 
-            return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly"));
+            return new Event(rs);
         }catch (SQLException e){
             Bukkit.getLogger().log(Level.SEVERE, "Failed to load Event", e);
             throw new SecurityException();

SpigotCore_Main/src/de/steamwar/sql/EventFight.java

@@ -14,26 +14,20 @@ public class EventFight {
     private int kampfleiter;
     private int ergebnis;
 
-    private EventFight(int eventID, int fightID, int teamBlue, int teamRed, int kampfleiter, int ergebnis){
+    private EventFight(ResultSet rs) throws SQLException{
-        this.eventID = eventID;
+        this.eventID = rs.getInt("EventID");
-        this.fightID = fightID;
+        this.fightID = rs.getInt("FightID");
-        this.teamBlue = teamBlue;
+        this.teamBlue = rs.getInt("TeamBlue");
-        this.teamRed = teamRed;
+        this.teamRed = rs.getInt("TeamRed");
-        this.kampfleiter = kampfleiter;
+        this.kampfleiter = rs.getInt("Kampfleiter");
-        this.ergebnis = ergebnis;
+        this.ergebnis = rs.getInt("Ergebnis");
     }
 
     public static EventFight get(int fightID){
         ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE FightID = " + fightID);
         try{
             rs.next();
-            return new EventFight(
+            return new EventFight(rs);
-                    rs.getInt("EventID"),
-                    fightID,
-                    rs.getInt("TeamBlue"),
-                    rs.getInt("TeamRed"),
-                    rs.getInt("Kampfleiter"),
-                    rs.getInt("Ergebnis"));
         }catch (SQLException e){
             Bukkit.getLogger().log(Level.SEVERE, "Failed to load EventFight", e);
         }
@@ -41,7 +35,7 @@ public class EventFight {
     }
 
     public void setErgebnis(int winner){
-        SQL.update("UPDATE EventFight SET Ergebnis = " + winner + " WHERE FightID = " + fightID);
+        SQL.update("UPDATE EventFight SET Ergebnis = ? WHERE FightID = ?", winner, fightID);
     }
 
     public int getTeamBlue() {

SpigotCore_Main/src/de/steamwar/sql/Fight.java

@@ -8,9 +8,8 @@ public class Fight {
     private Fight(){}
 
     public static int create(String gamemode, String arena, Timestamp starttime, int duration, int blueleader, int redleader, int blueschem, int redschem, int win, String wincondition){
-        SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (" +
+        SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
-                "'" + SQL.disarmString(gamemode) + "', '" + SQL.disarmString(arena) + "', '" + starttime.toString() + "', " + duration + ", " + blueleader + ", " + redleader + ", " + blueschem + ", " + redschem + ", " + win + ", '" + SQL.disarmString(wincondition) + "'" +
+                gamemode, arena, starttime, duration, blueleader, redleader,blueschem, redschem, win, wincondition);
-                ")");
         ResultSet rs = SQL.select("SELECT LAST_INSERT_ID() AS FightID");
         try{
             if(!rs.next())

SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java

@@ -4,8 +4,7 @@ public class FightPlayer {
     private FightPlayer(){}
 
     public static void create(int fightID, int userID, String kit, int kills, boolean isOut){
-        SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (" +
+        SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (?, ?, ?, ?, ?)",
-                fightID + ", " + userID + ", '" + SQL.disarmString(kit) + "', " + kills + ", " + SQL.booleanToInt(isOut) +
+                fightID, userID, kit, kills, isOut);
-                ")");
     }
 }

SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java

@@ -23,7 +23,7 @@ public class PersonalKit {
     }
 
     public static PersonalKit get(int userID, String gamemode){
-        ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = '" + userID + "' AND GameMode = '" + SQL.disarmString(gamemode) + "'");
+        ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = ? AND GameMode = ?", userID, gamemode);
         try {
             if(!rs.next())
                 return null;
@@ -41,12 +41,8 @@ public class PersonalKit {
         YamlConfiguration armorConfig = new YamlConfiguration();
         armorConfig.set("Armor", armor);
 
-        SQL.update("INSERT INTO PersonalKit" +
+        SQL.update("INSERT INTO PersonalKit (UserID, GameMode, Inventory, Armor) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Inventory = VALUES(Inventory), Armor = VALUES(Armor)",
-                " (UserID, GameMode, Inventory, Armor)" +
+                userID, gamemode, inventoryConfig.saveToString(), armorConfig.saveToString());
-                " VALUES" +
-                " ('" + userID + "', '" + gamemode + "', '" + SQL.disarmString(inventoryConfig.saveToString()) + "', '" + SQL.disarmString(armorConfig.saveToString()) + "')" +
-                " ON DUPLICATE KEY UPDATE" +
-                " Inventory = VALUES(Inventory), Armor = VALUES(Armor)");
         return get(userID, gamemode);
     }
 

SpigotCore_Main/src/de/steamwar/sql/SQL.java

@@ -33,13 +33,6 @@ public class SQL {
 
 		connect();
 	}
-
-	static Integer booleanToInt(boolean b){
-		if(b)
-			return 1;
-		else
-			return 0;
-	}
 	
 	public static void closeConnection() {
 		try {
@@ -48,45 +41,53 @@ public class SQL {
 			throw new SecurityException("Could not close connection", e);
 		}
 	}
-
-	static Connection getCon(){
-		return con;
-	}
 	
-	static void update(String qry) {
+	static void update(String qry, Object... objects) {
 		try {
-			PreparedStatement st = con.prepareStatement(qry);
+			prepare(qry, objects).executeUpdate();
-			st.executeUpdate();
 		} catch (SQLException e) {
 			reconnect();
 			try {
-				PreparedStatement st = con.prepareStatement(qry);
+				prepare(qry, objects).executeUpdate();
-				st.executeUpdate();
 			} catch (SQLException ex) {
 				throw new SecurityException("Could not perform update", ex);
 			}
 		}
 	}
-	
+
-	static ResultSet select(String qry) {
+	static ResultSet select(String qry, Object... objects){
 		try {
-			PreparedStatement st = con.prepareStatement(qry);
+			return prepare(qry, objects).executeQuery();
-			return st.executeQuery();
 		} catch (SQLException e) {
 			reconnect();
 			try {
-				PreparedStatement st = con.prepareStatement(qry);
+				return prepare(qry, objects).executeQuery();
-				return st.executeQuery();
 			} catch (SQLException ex) {
 				throw new SecurityException("Could not perform select", ex);
 			}
 		}
 	}
 
-	static String disarmString(String s){
+	static Blob blob(){
-		return s.replace("'", "");
+		try {
+			return con.createBlob();
+		} catch (SQLException e) {
+			reconnect();
+			try {
+				return con.createBlob();
+			} catch (SQLException ex) {
+				throw new SecurityException("Could not create blob", ex);
+			}
+		}
 	}
 
+	private static PreparedStatement prepare(String qry, Object... objects) throws SQLException{
+		PreparedStatement st = con.prepareStatement(qry);
+		for(int i = 0; i < objects.length; i++){
+			st.setObject(i+1, objects[i]);
+		}
+		return st;
+	}
 
 	private static void connect() {
 		try {

SpigotCore_Main/src/de/steamwar/sql/SWException.java

@@ -13,7 +13,7 @@ public class SWException {
         if(logDisabled)
             return;
 
-        String server = SQL.disarmString(Bukkit.getWorlds().get(0).getName());
+        String server = Bukkit.getWorlds().get(0).getName();
         StringBuilder stacktrace = new StringBuilder(logEvent.getSource().toString());
 
         Throwable throwable = logEvent.getThrown();
@@ -40,6 +40,7 @@ public class SWException {
         for(Player player : Bukkit.getOnlinePlayers())
             message += player.getName() + " ";
 
-        SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES ('" + server + "', '" + SQL.disarmString(message) + "', '" + SQL.disarmString(stacktrace.toString()) + "')");
+        SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES (?, ?, ?)",
+                server, message, stacktrace.toString());
     }
 }

SpigotCore_Main/src/de/steamwar/sql/Schematic.java

@@ -4,11 +4,9 @@ import com.sk89q.worldedit.extent.clipboard.Clipboard;
 import de.steamwar.core.Core;
 import org.bukkit.entity.Player;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.sql.Blob;
-import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.ArrayList;
@@ -42,12 +40,8 @@ public class Schematic {
 	}
 
 	public static void createSchem(String schemName, int schemOwner, String item, SchematicType schemType){
-		SQL.update("INSERT INTO Schematic" +
+		SQL.update("INSERT INTO Schematic (SchemName, SchemOwner, Item, SchemType) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Item = VALUES(Item), SchemType = VALUES(SchemType)",
-					" (SchemName, SchemOwner, Item, SchemType)" +
+				schemName, schemOwner, item, schemType.toDB());
-					" VALUES" +
-					" ('" + schemName + "', '" + schemOwner + "', '" + item + "', '" + schemType.toDB() + "')" +
-					" ON DUPLICATE KEY UPDATE" +
-					" Item = VALUES(Item), SchemType = VALUES(SchemType)");
 	}
 
 	public static Schematic getSchemFromDB(String schemName, UUID schemOwner){
@@ -55,8 +49,7 @@ public class Schematic {
 	}
 
 	public static Schematic getSchemFromDB(String schemName, int schemOwner){
-		schemName = SQL.disarmString(schemName);
+		ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner);
-		ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
 		try {
 			if(schematic == null || !schematic.next()){
 				SchematicMember member = SchematicMember.getMemberBySchematic(schemName, schemOwner);
@@ -77,7 +70,7 @@ public class Schematic {
 
 	public static List<Schematic> getSchemsAccessibleByUser(int schemOwner){
 		try{
-			ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = '" + schemOwner + "' ORDER BY SchemName");
+			ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = ? ORDER BY SchemName", schemOwner);
 			List<Schematic> schematics = new ArrayList<>();
 			while(schematic.next()){
 				schematics.add(new Schematic(schematic));
@@ -107,7 +100,7 @@ public class Schematic {
 
 	public static List<Schematic> getAllSchemsOfType(SchematicType schemType){
 		try{
-			ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = '" + schemType.toDB() + "'");
+			ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = ?", schemType.toDB());
 			List<Schematic> schematics = new ArrayList<>();
 			while(schematic.next()){
 				schematics.add(new Schematic(schematic));
@@ -156,7 +149,7 @@ public class Schematic {
 		if(Core.getVersion() <= 12 && schemFormat)
 			throw new WrongVersionException();
 
-		ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID);
+		ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID);
 		try {
 			rs.next();
 			Blob schemData = rs.getBlob("SchemData");
@@ -186,7 +179,7 @@ public class Schematic {
 		if(Core.getVersion() <= 12 && schemFormat)
 			throw new WrongVersionException();
 
-		ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID);
+		ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID);
 		try {
 			rs.next();
 			Blob blob = rs.getBlob("SchemData");
@@ -227,34 +220,31 @@ public class Schematic {
 
 	private void saveFromPlayer(Player player, boolean newFormat) throws IOException, NoClipboardException {
 		try{
-			PreparedStatement st = SQL.getCon().prepareStatement("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = " + schemID);
+			Blob blob = SQL.blob();
-			byte[] data;
 			switch(Core.getVersion()){
 				case 8:
 					newFormat = false;
-					data = Schematic_8.getPlayerClipboard(player);
+					blob.setBytes(1, Schematic_8.getPlayerClipboard(player));
 					break;
 				case 9:
 					newFormat = false;
-					data = Schematic_9.getPlayerClipboard(player);
+					blob.setBytes(1, Schematic_9.getPlayerClipboard(player));
 					break;
 				case 10:
 					newFormat = false;
-					data = Schematic_10.getPlayerClipboard(player);
+					blob.setBytes(1, Schematic_10.getPlayerClipboard(player));
 					break;
 				case 14:
-					data = Schematic_14.getPlayerClipboard(player, newFormat);
+					blob.setBytes(1, Schematic_14.getPlayerClipboard(player, newFormat));
 					break;
 				case 15:
-					data = Schematic_15.getPlayerClipboard(player, newFormat);
+					blob.setBytes(1, Schematic_15.getPlayerClipboard(player, newFormat));
 					break;
 				default:
 					newFormat = false;
-					data = Schematic_12.getPlayerClipboard(player);
+					blob.setBytes(1, Schematic_12.getPlayerClipboard(player));
 			}
-			st.setBlob(1, new ByteArrayInputStream(data));
+			SQL.update("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = ?", blob, newFormat, schemID);
-			st.setBoolean(2, newFormat);
-			st.executeUpdate();
 			schemFormat = newFormat;
 		}catch(SQLException e){
 			throw new IOException(e);
@@ -262,8 +252,8 @@ public class Schematic {
 	}
 
 	public void remove(){
-		SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'");
+		SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
-		SQL.update("DELETE FROM Schematic WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'");
+		SQL.update("DELETE FROM Schematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName);
 	}
 
 	public static class WrongVersionException extends Exception{}

SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java

@@ -28,10 +28,7 @@ public class SchematicMember {
 	}
 
 	private void updateDB(){
-		SQL.update("INSERT INTO SchemMember" +
+		SQL.update("INSERT INTO SchemMember (SchemName, SchemOwner, Member) VALUES (?, ?, ?)", schemName, schemOwner, member);
-					" (SchemName, SchemOwner, Member)" +
-					" VALUES" +
-					" ('" + schemName + "', '" + schemOwner + "', '" + member + "')");
 	}
 
 	public static SchematicMember getSchemMemberFromDB(String schemName, UUID schemOwner, UUID schemMember){
@@ -39,7 +36,7 @@ public class SchematicMember {
 	}
 
 	public static SchematicMember getSchemMemberFromDB(String schemName, int schemOwner, int schemMember){
-		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "' AND Member = '" + schemMember + "'");
+		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ? AND Member = ?", schemName, schemOwner, schemMember);
 		try {
 			if(schematicMember == null || !schematicMember.next()){
 				return null;
@@ -51,7 +48,7 @@ public class SchematicMember {
 	}
 
 	public static SchematicMember getMemberBySchematic(String schemName, int schemMember){
-		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND Member = '" + schemMember + "'");
+		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND Member = ?", schemName, schemMember);
 		try {
 			if(schematicMember == null || !schematicMember.next()){
 				return null;
@@ -68,7 +65,7 @@ public class SchematicMember {
 	}
 
 	public static List<SchematicMember> getSchemMembers(String schemName, int schemOwner){
-		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'");
+		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner);
 		try {
 			List<SchematicMember> schematicMembers = new ArrayList<>();
 			while(schematicMember.next()){
@@ -86,7 +83,7 @@ public class SchematicMember {
 	}
 
 	public static List<SchematicMember> getAccessibleSchems(int schemMember){
-		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = '" + schemMember + "'");
+		ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = ?", schemMember);
 		try {
 			List<SchematicMember> schematicMembers = new ArrayList<>();
 			while(schematicMember.next()){
@@ -113,6 +110,6 @@ public class SchematicMember {
 	}
 
 	public void remove(){
-		SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "' AND Member = '" + member + "'");
+		SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ? AND Member = ?", schemOwner, schemName, member);
 	}
 }

SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java

@@ -63,8 +63,8 @@ public class SteamwarUser {
 		return team;
 	}
 
-	private static SteamwarUser fromDB(String statement){
+	private static SteamwarUser fromDB(String statement, Object identifier){
-		ResultSet rs = SQL.select(statement);
+		ResultSet rs = SQL.select(statement, identifier);
 		try {
 			if(rs.next())
 				return new SteamwarUser(rs);
@@ -75,24 +75,23 @@ public class SteamwarUser {
 	}
 
 	public static SteamwarUser get(String userName){
-		userName = SQL.disarmString(userName);
 		SteamwarUser user = byName.get(userName.toLowerCase());
 		if(user == null)
-			user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = '" + userName.toLowerCase() + "'");
+			user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = ?", userName.toLowerCase());
 		return user;
 	}
 
 	public static SteamwarUser get(UUID uuid){
 		SteamwarUser user = byUUID.get(uuid);
 		if(user == null)
-			user = fromDB("SELECT * FROM UserData WHERE UUID = '" + uuid.toString() + "'");
+			user = fromDB("SELECT * FROM UserData WHERE UUID = ?", uuid.toString());
 		return user;
 	}
 
 	public static SteamwarUser get(int id) {
 		SteamwarUser user = byId.get(id);
 		if(user == null)
-			user = fromDB("SELECT * FROM UserData WHERE id = '" + id + "'");
+			user = fromDB("SELECT * FROM UserData WHERE id = ?", id);
 		return user;
 	}
 }

SpigotCore_Main/src/de/steamwar/sql/Team.java

@@ -27,7 +27,7 @@ public class Team {
     public static Team get(int id){
         if(id == 0)
             return pub;
-        ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = " + id);
+        ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = ?", id);
         try {
             if(!rs.next())
                 return null;
@@ -55,7 +55,7 @@ public class Team {
 
     public List<Integer> getMembers(){
         try{
-            ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = '" + teamId + "'");
+            ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = ?", teamId);
             List<Integer> members = new LinkedList<>();
             while(memberlist.next())
                 members.add(memberlist.getInt("id"));