From 151ec960bb56a55e8537164ef240da4b103e6115 Mon Sep 17 00:00:00 2001 From: Lixfel Date: Fri, 7 Feb 2020 16:45:02 +0100 Subject: [PATCH] Rework SQL statements to actually use PreparedStatements for security reasons --- .../src/de/steamwar/sql/BauweltMember.java | 14 ++---- .../src/de/steamwar/sql/CheckedSchematic.java | 13 +++-- .../de/steamwar/sql/DownloadSchematic.java | 4 +- .../src/de/steamwar/sql/Event.java | 18 +++---- .../src/de/steamwar/sql/EventFight.java | 24 ++++----- .../src/de/steamwar/sql/Fight.java | 5 +- .../src/de/steamwar/sql/FightPlayer.java | 5 +- .../src/de/steamwar/sql/PersonalKit.java | 10 ++-- SpigotCore_Main/src/de/steamwar/sql/SQL.java | 49 ++++++++++--------- .../src/de/steamwar/sql/SWException.java | 5 +- .../src/de/steamwar/sql/Schematic.java | 44 +++++++---------- .../src/de/steamwar/sql/SchematicMember.java | 15 +++--- .../src/de/steamwar/sql/SteamwarUser.java | 11 ++--- SpigotCore_Main/src/de/steamwar/sql/Team.java | 4 +- 14 files changed, 96 insertions(+), 125 deletions(-) diff --git a/SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java b/SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java index eebaec8..2f8afcb 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java +++ b/SpigotCore_Main/src/de/steamwar/sql/BauweltMember.java @@ -36,17 +36,13 @@ public class BauweltMember{ } public void remove(){ - SQL.update("DELETE FROM BauweltMember WHERE BauweltID = " + bauweltID + " AND MemberID = " + memberID); + SQL.update("DELETE FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", bauweltID, memberID); members.remove(this); } private void updateDB(){ - SQL.update("INSERT INTO BauweltMember" + - " (BauweltID, MemberID, Build, WorldEdit, World)" + - " VALUES" + - " ('" + bauweltID + "', '" + memberID + "', '" + SQL.booleanToInt(build) + "', '" + SQL.booleanToInt(worldEdit) + "', '" + SQL.booleanToInt(world) + "')" + - " ON DUPLICATE KEY UPDATE" + - " Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)"); + SQL.update("INSERT INTO BauweltMember (BauweltID, MemberID, Build, WorldEdit, World) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE Build = VALUES(Build), WorldEdit = VALUES(WorldEdit), World = VALUES(World)", + bauweltID, memberID, build, worldEdit, world); } public static BauweltMember getBauMember(UUID ownerID, UUID memberID){ @@ -57,7 +53,7 @@ public class BauweltMember{ for(BauweltMember member : members) if(member.memberID == memberID) return member; - ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + ownerID + "' AND MemberID = '" + memberID + "'"); + ResultSet member = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ? AND MemberID = ?", ownerID, memberID); try { if(member == null || !member.next()){ return null; @@ -77,7 +73,7 @@ public class BauweltMember{ public static List getMembers(int bauweltID){ try{ - ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = '" + bauweltID + "'"); + ResultSet memberlist = SQL.select("SELECT * FROM BauweltMember WHERE BauweltID = ?", bauweltID); List members = new LinkedList<>(); while(memberlist.next()){ int memberID = memberlist.getInt("MemberID"); diff --git a/SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java b/SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java index 73929bc..974537f 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java +++ b/SpigotCore_Main/src/de/steamwar/sql/CheckedSchematic.java @@ -21,12 +21,12 @@ public class CheckedSchematic { private final String declineReason; private CheckedSchematic(String schemName, int schemOwner, int validator, Timestamp startTime, Timestamp endTime, String declineReason, boolean insertDB){ - this.schemName = SQL.disarmString(schemName); + this.schemName = schemName; this.schemOwner = schemOwner; this.validator = validator; this.startTime = startTime; this.endTime = endTime; - this.declineReason = SQL.disarmString(declineReason); + this.declineReason = declineReason; if(insertDB) insertDB(); } @@ -41,9 +41,8 @@ public class CheckedSchematic { private void insertDB(){ SQL.update("INSERT INTO CheckedSchematic" + - " (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason)" + - " VALUES" + - " ('"+ schemName + "', '" + schemOwner + "', '" + validator + "', '" + startTime.toString() + "', '" + endTime.toString() + "', '" + declineReason + "')"); + " (SchemName, SchemOwner, Validator, StartTime, EndTime, DeclineReason) VALUES (?, ?, ?, ?, ?, ?)", + schemName, schemOwner, validator, startTime, endTime, declineReason); } public static List getLastDeclined(UUID schemOwner){ @@ -53,7 +52,7 @@ public class CheckedSchematic { public static List getLastDelined(int schemOwner){ List lastDeclined = new LinkedList<>(); try{ - ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = '" + schemOwner + "' AND DeclineReason != '' ORDER BY EndTime DESC"); + ResultSet lastRS = SQL.select("SELECT * FROM CheckedSchematic WHERE SchemOwner = ? AND DeclineReason != '' ORDER BY EndTime DESC", schemOwner); while(lastRS.next()){ String schemName = lastRS.getString("SchemName"); int validator = lastRS.getInt("Validator"); @@ -69,7 +68,7 @@ public class CheckedSchematic { } public void remove() { - SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = " + this.schemOwner + " AND SchemName = '" + this.schemName + "'"); + SQL.update("DELETE FROM CheckedSchematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName); } public String getSchemName() { diff --git a/SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java b/SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java index ed43cec..7c78950 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java +++ b/SpigotCore_Main/src/de/steamwar/sql/DownloadSchematic.java @@ -13,7 +13,7 @@ public class DownloadSchematic { private static final String BASE = "https://steamwar.de/download.php?schem="; public static String getLink(Schematic schem){ - ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = " + schem.getSchemID()); + ResultSet rs = SQL.select("SELECT * FROM SchemDownload WHERE SchemID = ?", schem.getSchemID()); try { if(rs.next()) return BASE + rs.getString("Link"); @@ -30,7 +30,7 @@ public class DownloadSchematic { cript.reset(); cript.update((Instant.now().toString() + schem.getSchemOwner() + schem.getSchemID()).getBytes()); String hash = DatatypeConverter.printHexBinary(cript.digest()); - SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (" + schem.getSchemID() + ", '" + hash + "')"); + SQL.update("INSERT INTO SchemDownload (SchemID, Link) VALUES (?, ?)", schem.getSchemID(), hash); return BASE + hash; } } diff --git a/SpigotCore_Main/src/de/steamwar/sql/Event.java b/SpigotCore_Main/src/de/steamwar/sql/Event.java index 2434212..7318320 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/Event.java +++ b/SpigotCore_Main/src/de/steamwar/sql/Event.java @@ -16,22 +16,22 @@ public class Event { private final int maximumTeamMembers; private final boolean publicSchemsOnly; - private Event(int eventID, String eventName, Timestamp start, Timestamp end, int maximumTeamMembers, boolean publicSchemsOnly){ - this.eventID = eventID; - this.eventName = eventName; - this.start = start; - this.end = end; - this.maximumTeamMembers = maximumTeamMembers; - this.publicSchemsOnly = publicSchemsOnly; + private Event(ResultSet rs) throws SQLException{ + this.eventID = rs.getInt("EventID"); + this.eventName = rs.getString("EventName"); + this.start = rs.getTimestamp("Start"); + this.end = rs.getTimestamp("End"); + this.maximumTeamMembers = rs.getInt("MaximumTeamMembers"); + this.publicSchemsOnly = rs.getBoolean("PublicSchemsOnly"); } public static Event get(int eventID){ - ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = " + eventID); + ResultSet rs = SQL.select("SELECT * FROM Event WHERE EventID = ?", eventID); try{ if(!rs.next()) throw new IllegalArgumentException(); - return new Event(eventID, rs.getString("EventName"), rs.getTimestamp("Start"), rs.getTimestamp("End"), rs.getInt("MaximumTeamMembers"), rs.getBoolean("PublicSchemsOnly")); + return new Event(rs); }catch (SQLException e){ Bukkit.getLogger().log(Level.SEVERE, "Failed to load Event", e); throw new SecurityException(); diff --git a/SpigotCore_Main/src/de/steamwar/sql/EventFight.java b/SpigotCore_Main/src/de/steamwar/sql/EventFight.java index 65a31cb..79eafdc 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/EventFight.java +++ b/SpigotCore_Main/src/de/steamwar/sql/EventFight.java @@ -14,26 +14,20 @@ public class EventFight { private int kampfleiter; private int ergebnis; - private EventFight(int eventID, int fightID, int teamBlue, int teamRed, int kampfleiter, int ergebnis){ - this.eventID = eventID; - this.fightID = fightID; - this.teamBlue = teamBlue; - this.teamRed = teamRed; - this.kampfleiter = kampfleiter; - this.ergebnis = ergebnis; + private EventFight(ResultSet rs) throws SQLException{ + this.eventID = rs.getInt("EventID"); + this.fightID = rs.getInt("FightID"); + this.teamBlue = rs.getInt("TeamBlue"); + this.teamRed = rs.getInt("TeamRed"); + this.kampfleiter = rs.getInt("Kampfleiter"); + this.ergebnis = rs.getInt("Ergebnis"); } public static EventFight get(int fightID){ ResultSet rs = SQL.select("SELECT * FROM EventFight WHERE FightID = " + fightID); try{ rs.next(); - return new EventFight( - rs.getInt("EventID"), - fightID, - rs.getInt("TeamBlue"), - rs.getInt("TeamRed"), - rs.getInt("Kampfleiter"), - rs.getInt("Ergebnis")); + return new EventFight(rs); }catch (SQLException e){ Bukkit.getLogger().log(Level.SEVERE, "Failed to load EventFight", e); } @@ -41,7 +35,7 @@ public class EventFight { } public void setErgebnis(int winner){ - SQL.update("UPDATE EventFight SET Ergebnis = " + winner + " WHERE FightID = " + fightID); + SQL.update("UPDATE EventFight SET Ergebnis = ? WHERE FightID = ?", winner, fightID); } public int getTeamBlue() { diff --git a/SpigotCore_Main/src/de/steamwar/sql/Fight.java b/SpigotCore_Main/src/de/steamwar/sql/Fight.java index 54c2213..e21a894 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/Fight.java +++ b/SpigotCore_Main/src/de/steamwar/sql/Fight.java @@ -8,9 +8,8 @@ public class Fight { private Fight(){} public static int create(String gamemode, String arena, Timestamp starttime, int duration, int blueleader, int redleader, int blueschem, int redschem, int win, String wincondition){ - SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (" + - "'" + SQL.disarmString(gamemode) + "', '" + SQL.disarmString(arena) + "', '" + starttime.toString() + "', " + duration + ", " + blueleader + ", " + redleader + ", " + blueschem + ", " + redschem + ", " + win + ", '" + SQL.disarmString(wincondition) + "'" + - ")"); + SQL.update("INSERT INTO Fight (GameMode, Arena, StartTime, Duration, BlueLeader, RedLeader, BlueSchem, RedSchem, Win, WinCondition) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", + gamemode, arena, starttime, duration, blueleader, redleader,blueschem, redschem, win, wincondition); ResultSet rs = SQL.select("SELECT LAST_INSERT_ID() AS FightID"); try{ if(!rs.next()) diff --git a/SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java b/SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java index e5a98b2..72923e6 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java +++ b/SpigotCore_Main/src/de/steamwar/sql/FightPlayer.java @@ -4,8 +4,7 @@ public class FightPlayer { private FightPlayer(){} public static void create(int fightID, int userID, String kit, int kills, boolean isOut){ - SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (" + - fightID + ", " + userID + ", '" + SQL.disarmString(kit) + "', " + kills + ", " + SQL.booleanToInt(isOut) + - ")"); + SQL.update("INSERT INTO FightPlayer (FightID, UserID, Kit, Kills, IsOut) VALUES (?, ?, ?, ?, ?)", + fightID, userID, kit, kills, isOut); } } diff --git a/SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java b/SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java index 7de0222..80d7f3f 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java +++ b/SpigotCore_Main/src/de/steamwar/sql/PersonalKit.java @@ -23,7 +23,7 @@ public class PersonalKit { } public static PersonalKit get(int userID, String gamemode){ - ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = '" + userID + "' AND GameMode = '" + SQL.disarmString(gamemode) + "'"); + ResultSet rs = SQL.select("SELECT * FROM PersonalKit WHERE UserID = ? AND GameMode = ?", userID, gamemode); try { if(!rs.next()) return null; @@ -41,12 +41,8 @@ public class PersonalKit { YamlConfiguration armorConfig = new YamlConfiguration(); armorConfig.set("Armor", armor); - SQL.update("INSERT INTO PersonalKit" + - " (UserID, GameMode, Inventory, Armor)" + - " VALUES" + - " ('" + userID + "', '" + gamemode + "', '" + SQL.disarmString(inventoryConfig.saveToString()) + "', '" + SQL.disarmString(armorConfig.saveToString()) + "')" + - " ON DUPLICATE KEY UPDATE" + - " Inventory = VALUES(Inventory), Armor = VALUES(Armor)"); + SQL.update("INSERT INTO PersonalKit (UserID, GameMode, Inventory, Armor) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Inventory = VALUES(Inventory), Armor = VALUES(Armor)", + userID, gamemode, inventoryConfig.saveToString(), armorConfig.saveToString()); return get(userID, gamemode); } diff --git a/SpigotCore_Main/src/de/steamwar/sql/SQL.java b/SpigotCore_Main/src/de/steamwar/sql/SQL.java index 8375a99..034eea8 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/SQL.java +++ b/SpigotCore_Main/src/de/steamwar/sql/SQL.java @@ -33,13 +33,6 @@ public class SQL { connect(); } - - static Integer booleanToInt(boolean b){ - if(b) - return 1; - else - return 0; - } public static void closeConnection() { try { @@ -48,45 +41,53 @@ public class SQL { throw new SecurityException("Could not close connection", e); } } - - static Connection getCon(){ - return con; - } - static void update(String qry) { + static void update(String qry, Object... objects) { try { - PreparedStatement st = con.prepareStatement(qry); - st.executeUpdate(); + prepare(qry, objects).executeUpdate(); } catch (SQLException e) { reconnect(); try { - PreparedStatement st = con.prepareStatement(qry); - st.executeUpdate(); + prepare(qry, objects).executeUpdate(); } catch (SQLException ex) { throw new SecurityException("Could not perform update", ex); } } } - - static ResultSet select(String qry) { + + static ResultSet select(String qry, Object... objects){ try { - PreparedStatement st = con.prepareStatement(qry); - return st.executeQuery(); + return prepare(qry, objects).executeQuery(); } catch (SQLException e) { reconnect(); try { - PreparedStatement st = con.prepareStatement(qry); - return st.executeQuery(); + return prepare(qry, objects).executeQuery(); } catch (SQLException ex) { throw new SecurityException("Could not perform select", ex); } } } - static String disarmString(String s){ - return s.replace("'", ""); + static Blob blob(){ + try { + return con.createBlob(); + } catch (SQLException e) { + reconnect(); + try { + return con.createBlob(); + } catch (SQLException ex) { + throw new SecurityException("Could not create blob", ex); + } + } } + private static PreparedStatement prepare(String qry, Object... objects) throws SQLException{ + PreparedStatement st = con.prepareStatement(qry); + for(int i = 0; i < objects.length; i++){ + st.setObject(i+1, objects[i]); + } + return st; + } private static void connect() { try { diff --git a/SpigotCore_Main/src/de/steamwar/sql/SWException.java b/SpigotCore_Main/src/de/steamwar/sql/SWException.java index d65aa94..2a285bc 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/SWException.java +++ b/SpigotCore_Main/src/de/steamwar/sql/SWException.java @@ -13,7 +13,7 @@ public class SWException { if(logDisabled) return; - String server = SQL.disarmString(Bukkit.getWorlds().get(0).getName()); + String server = Bukkit.getWorlds().get(0).getName(); StringBuilder stacktrace = new StringBuilder(logEvent.getSource().toString()); Throwable throwable = logEvent.getThrown(); @@ -40,6 +40,7 @@ public class SWException { for(Player player : Bukkit.getOnlinePlayers()) message += player.getName() + " "; - SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES ('" + server + "', '" + SQL.disarmString(message) + "', '" + SQL.disarmString(stacktrace.toString()) + "')"); + SQL.update("INSERT INTO Exception (server, message, stacktrace) VALUES (?, ?, ?)", + server, message, stacktrace.toString()); } } diff --git a/SpigotCore_Main/src/de/steamwar/sql/Schematic.java b/SpigotCore_Main/src/de/steamwar/sql/Schematic.java index d8ddf43..1562406 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/Schematic.java +++ b/SpigotCore_Main/src/de/steamwar/sql/Schematic.java @@ -4,11 +4,9 @@ import com.sk89q.worldedit.extent.clipboard.Clipboard; import de.steamwar.core.Core; import org.bukkit.entity.Player; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.sql.Blob; -import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.ArrayList; @@ -42,12 +40,8 @@ public class Schematic { } public static void createSchem(String schemName, int schemOwner, String item, SchematicType schemType){ - SQL.update("INSERT INTO Schematic" + - " (SchemName, SchemOwner, Item, SchemType)" + - " VALUES" + - " ('" + schemName + "', '" + schemOwner + "', '" + item + "', '" + schemType.toDB() + "')" + - " ON DUPLICATE KEY UPDATE" + - " Item = VALUES(Item), SchemType = VALUES(SchemType)"); + SQL.update("INSERT INTO Schematic (SchemName, SchemOwner, Item, SchemType) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE Item = VALUES(Item), SchemType = VALUES(SchemType)", + schemName, schemOwner, item, schemType.toDB()); } public static Schematic getSchemFromDB(String schemName, UUID schemOwner){ @@ -55,8 +49,7 @@ public class Schematic { } public static Schematic getSchemFromDB(String schemName, int schemOwner){ - schemName = SQL.disarmString(schemName); - ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'"); + ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner); try { if(schematic == null || !schematic.next()){ SchematicMember member = SchematicMember.getMemberBySchematic(schemName, schemOwner); @@ -77,7 +70,7 @@ public class Schematic { public static List getSchemsAccessibleByUser(int schemOwner){ try{ - ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = '" + schemOwner + "' ORDER BY SchemName"); + ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemOwner = ? ORDER BY SchemName", schemOwner); List schematics = new ArrayList<>(); while(schematic.next()){ schematics.add(new Schematic(schematic)); @@ -107,7 +100,7 @@ public class Schematic { public static List getAllSchemsOfType(SchematicType schemType){ try{ - ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = '" + schemType.toDB() + "'"); + ResultSet schematic = SQL.select("SELECT SchemID, SchemName, SchemOwner, Item, SchemType, SchemFormat FROM Schematic WHERE SchemType = ?", schemType.toDB()); List schematics = new ArrayList<>(); while(schematic.next()){ schematics.add(new Schematic(schematic)); @@ -156,7 +149,7 @@ public class Schematic { if(Core.getVersion() <= 12 && schemFormat) throw new WrongVersionException(); - ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID); + ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID); try { rs.next(); Blob schemData = rs.getBlob("SchemData"); @@ -186,7 +179,7 @@ public class Schematic { if(Core.getVersion() <= 12 && schemFormat) throw new WrongVersionException(); - ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = " + schemID); + ResultSet rs = SQL.select("SELECT SchemData FROM Schematic WHERE SchemID = ?", schemID); try { rs.next(); Blob blob = rs.getBlob("SchemData"); @@ -227,34 +220,31 @@ public class Schematic { private void saveFromPlayer(Player player, boolean newFormat) throws IOException, NoClipboardException { try{ - PreparedStatement st = SQL.getCon().prepareStatement("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = " + schemID); - byte[] data; + Blob blob = SQL.blob(); switch(Core.getVersion()){ case 8: newFormat = false; - data = Schematic_8.getPlayerClipboard(player); + blob.setBytes(1, Schematic_8.getPlayerClipboard(player)); break; case 9: newFormat = false; - data = Schematic_9.getPlayerClipboard(player); + blob.setBytes(1, Schematic_9.getPlayerClipboard(player)); break; case 10: newFormat = false; - data = Schematic_10.getPlayerClipboard(player); + blob.setBytes(1, Schematic_10.getPlayerClipboard(player)); break; case 14: - data = Schematic_14.getPlayerClipboard(player, newFormat); + blob.setBytes(1, Schematic_14.getPlayerClipboard(player, newFormat)); break; case 15: - data = Schematic_15.getPlayerClipboard(player, newFormat); + blob.setBytes(1, Schematic_15.getPlayerClipboard(player, newFormat)); break; default: newFormat = false; - data = Schematic_12.getPlayerClipboard(player); + blob.setBytes(1, Schematic_12.getPlayerClipboard(player)); } - st.setBlob(1, new ByteArrayInputStream(data)); - st.setBoolean(2, newFormat); - st.executeUpdate(); + SQL.update("UPDATE Schematic SET SchemData = ?, SchemFormat = ? WHERE SchemID = ?", blob, newFormat, schemID); schemFormat = newFormat; }catch(SQLException e){ throw new IOException(e); @@ -262,8 +252,8 @@ public class Schematic { } public void remove(){ - SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'"); - SQL.update("DELETE FROM Schematic WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "'"); + SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName); + SQL.update("DELETE FROM Schematic WHERE SchemOwner = ? AND SchemName = ?", schemOwner, schemName); } public static class WrongVersionException extends Exception{} diff --git a/SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java b/SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java index 4fb7c5e..3a22741 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java +++ b/SpigotCore_Main/src/de/steamwar/sql/SchematicMember.java @@ -28,10 +28,7 @@ public class SchematicMember { } private void updateDB(){ - SQL.update("INSERT INTO SchemMember" + - " (SchemName, SchemOwner, Member)" + - " VALUES" + - " ('" + schemName + "', '" + schemOwner + "', '" + member + "')"); + SQL.update("INSERT INTO SchemMember (SchemName, SchemOwner, Member) VALUES (?, ?, ?)", schemName, schemOwner, member); } public static SchematicMember getSchemMemberFromDB(String schemName, UUID schemOwner, UUID schemMember){ @@ -39,7 +36,7 @@ public class SchematicMember { } public static SchematicMember getSchemMemberFromDB(String schemName, int schemOwner, int schemMember){ - ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "' AND Member = '" + schemMember + "'"); + ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ? AND Member = ?", schemName, schemOwner, schemMember); try { if(schematicMember == null || !schematicMember.next()){ return null; @@ -51,7 +48,7 @@ public class SchematicMember { } public static SchematicMember getMemberBySchematic(String schemName, int schemMember){ - ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND Member = '" + schemMember + "'"); + ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND Member = ?", schemName, schemMember); try { if(schematicMember == null || !schematicMember.next()){ return null; @@ -68,7 +65,7 @@ public class SchematicMember { } public static List getSchemMembers(String schemName, int schemOwner){ - ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = '" + schemName + "' AND SchemOwner = '" + schemOwner + "'"); + ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE SchemName = ? AND SchemOwner = ?", schemName, schemOwner); try { List schematicMembers = new ArrayList<>(); while(schematicMember.next()){ @@ -86,7 +83,7 @@ public class SchematicMember { } public static List getAccessibleSchems(int schemMember){ - ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = '" + schemMember + "'"); + ResultSet schematicMember = SQL.select("SELECT * FROM SchemMember WHERE Member = ?", schemMember); try { List schematicMembers = new ArrayList<>(); while(schematicMember.next()){ @@ -113,6 +110,6 @@ public class SchematicMember { } public void remove(){ - SQL.update("DELETE FROM SchemMember WHERE SchemOwner = " + schemOwner + " AND SchemName = '" + schemName + "' AND Member = '" + member + "'"); + SQL.update("DELETE FROM SchemMember WHERE SchemOwner = ? AND SchemName = ? AND Member = ?", schemOwner, schemName, member); } } diff --git a/SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java b/SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java index 55a1df2..ea2eac9 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java +++ b/SpigotCore_Main/src/de/steamwar/sql/SteamwarUser.java @@ -63,8 +63,8 @@ public class SteamwarUser { return team; } - private static SteamwarUser fromDB(String statement){ - ResultSet rs = SQL.select(statement); + private static SteamwarUser fromDB(String statement, Object identifier){ + ResultSet rs = SQL.select(statement, identifier); try { if(rs.next()) return new SteamwarUser(rs); @@ -75,24 +75,23 @@ public class SteamwarUser { } public static SteamwarUser get(String userName){ - userName = SQL.disarmString(userName); SteamwarUser user = byName.get(userName.toLowerCase()); if(user == null) - user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = '" + userName.toLowerCase() + "'"); + user = fromDB("SELECT * FROM UserData WHERE lower(UserName) = ?", userName.toLowerCase()); return user; } public static SteamwarUser get(UUID uuid){ SteamwarUser user = byUUID.get(uuid); if(user == null) - user = fromDB("SELECT * FROM UserData WHERE UUID = '" + uuid.toString() + "'"); + user = fromDB("SELECT * FROM UserData WHERE UUID = ?", uuid.toString()); return user; } public static SteamwarUser get(int id) { SteamwarUser user = byId.get(id); if(user == null) - user = fromDB("SELECT * FROM UserData WHERE id = '" + id + "'"); + user = fromDB("SELECT * FROM UserData WHERE id = ?", id); return user; } } diff --git a/SpigotCore_Main/src/de/steamwar/sql/Team.java b/SpigotCore_Main/src/de/steamwar/sql/Team.java index f82680e..2edd036 100644 --- a/SpigotCore_Main/src/de/steamwar/sql/Team.java +++ b/SpigotCore_Main/src/de/steamwar/sql/Team.java @@ -27,7 +27,7 @@ public class Team { public static Team get(int id){ if(id == 0) return pub; - ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = " + id); + ResultSet rs = SQL.select("SELECT * FROM Team WHERE TeamID = ?", id); try { if(!rs.next()) return null; @@ -55,7 +55,7 @@ public class Team { public List getMembers(){ try{ - ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = '" + teamId + "'"); + ResultSet memberlist = SQL.select("SELECT id FROM UserData WHERE Team = ?", teamId); List members = new LinkedList<>(); while(memberlist.next()) members.add(memberlist.getInt("id"));