更新了数据库查询方式,避免注入
This commit is contained in:
parent
df812863d0
commit
f714526248
@ -13,8 +13,8 @@ public class PlayerInfoDTO {
|
|||||||
|
|
||||||
public static PlayerInfoDTO get(UUID uuid) {
|
public static PlayerInfoDTO get(UUID uuid) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql = "SELECT uuid, coin, using_title_id FROM mplt_player_info WHERE uuid = '" + uuid.toString() + "';";
|
sql = "SELECT uuid, coin, using_title_id FROM mplt_player_info WHERE uuid = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, uuid)) {
|
||||||
if (rs.next()) return getPlayerInfoDTO(rs);
|
if (rs.next()) return getPlayerInfoDTO(rs);
|
||||||
else return create(uuid);
|
else return create(uuid);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
@ -26,9 +26,9 @@ public class PlayerInfoDTO {
|
|||||||
private static PlayerInfoDTO create(UUID uuid) {
|
private static PlayerInfoDTO create(UUID uuid) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql = "INSERT INTO mplt_player_info (uuid, coin) " +
|
sql = "INSERT INTO mplt_player_info (uuid, coin) " +
|
||||||
"VALUES ('" + uuid.toString() + "', " + MiniPlayerTitle.config.getDefaultCoin() + ") " +
|
"VALUES (?, ?) " +
|
||||||
"ON CONFLICT DO NOTHING;";
|
"ON CONFLICT DO NOTHING;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, uuid, MiniPlayerTitle.config.getDefaultCoin())) {
|
||||||
return get(uuid);
|
return get(uuid);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("创建玩家信息失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("创建玩家信息失败", e, sql);
|
||||||
@ -54,8 +54,8 @@ public class PlayerInfoDTO {
|
|||||||
|
|
||||||
public boolean setUsingTitle(TitleDTO title) {
|
public boolean setUsingTitle(TitleDTO title) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql = "UPDATE mplt_player_info SET using_title_id = " + title.getId() + " WHERE uuid = '" + uuid.toString() + "';";
|
sql = "UPDATE mplt_player_info SET using_title_id = ? WHERE uuid = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title.getId(), uuid)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置玩家使用称号失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("设置玩家使用称号失败", e, sql);
|
||||||
@ -69,8 +69,8 @@ public class PlayerInfoDTO {
|
|||||||
|
|
||||||
public boolean setCoin(Integer coin) {
|
public boolean setCoin(Integer coin) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql = "UPDATE mplt_player_info SET coin = " + coin + " WHERE uuid = '" + uuid.toString() + "';";
|
sql = "UPDATE mplt_player_info SET coin = ? WHERE uuid = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, coin, uuid)) {
|
||||||
this.coin = coin;
|
this.coin = coin;
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
|
@ -52,13 +52,13 @@ public class PlayerTitleDTO {
|
|||||||
sql += "INSERT INTO mplt_player_title (player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d) ";
|
sql += "INSERT INTO mplt_player_title (player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d) ";
|
||||||
|
|
||||||
if (expire_at == null) {
|
if (expire_at == null) {
|
||||||
sql += "VALUES ('" + player_uuid.toString() + "', " + title.getId() + ", -1, -1, -1) ";
|
sql += "VALUES (?, ? , -1, -1, -1) ";
|
||||||
} else {
|
} else {
|
||||||
sql += "VALUES ('" + player_uuid.toString() + "', " + title.getId() + ", " + expire_at.getYear() + ", " + expire_at.getMonthValue() + ", " + expire_at.getDayOfMonth() + ") ";
|
sql += "VALUES (?, ?, " + expire_at.getYear() + ", " + expire_at.getMonthValue() + ", " + expire_at.getDayOfMonth() + ") ";
|
||||||
}
|
}
|
||||||
sql += "RETURNING " +
|
sql += "RETURNING " +
|
||||||
"id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d;";
|
"id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, player_uuid, title.getId())) {
|
||||||
if (rs.next()) {
|
if (rs.next()) {
|
||||||
return getRs(rs);
|
return getRs(rs);
|
||||||
}
|
}
|
||||||
@ -71,8 +71,8 @@ public class PlayerTitleDTO {
|
|||||||
public static PlayerTitleDTO get(Integer id) {
|
public static PlayerTitleDTO get(Integer id) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
|
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
|
||||||
"WHERE id = " + id + ";";
|
"WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
|
||||||
if (rs.next()) {
|
if (rs.next()) {
|
||||||
return getRs(rs);
|
return getRs(rs);
|
||||||
}
|
}
|
||||||
@ -101,9 +101,9 @@ public class PlayerTitleDTO {
|
|||||||
public static List<PlayerTitleDTO> getAllOf(UUID player_uuid) {
|
public static List<PlayerTitleDTO> getAllOf(UUID player_uuid) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
|
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
|
||||||
"WHERE player_uuid = '" + player_uuid.toString() + "';";
|
"WHERE player_uuid = ?;";
|
||||||
List<PlayerTitleDTO> playerTitles = new ArrayList<>();
|
List<PlayerTitleDTO> playerTitles = new ArrayList<>();
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, player_uuid)) {
|
||||||
while (rs.next()) {
|
while (rs.next()) {
|
||||||
playerTitles.add(getRs(rs));
|
playerTitles.add(getRs(rs));
|
||||||
}
|
}
|
||||||
|
@ -30,10 +30,10 @@ public class TitleDTO {
|
|||||||
public static TitleDTO create(String title, String description) {
|
public static TitleDTO create(String title, String description) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "INSERT INTO mplt_title (title, description) " +
|
sql += "INSERT INTO mplt_title (title, description) " +
|
||||||
"VALUES ('" + title + "', '" + description + "') " +
|
"VALUES (?, ?) " +
|
||||||
"RETURNING " +
|
"RETURNING " +
|
||||||
"id, title, description;";
|
"id, title, description;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title, description)) {
|
||||||
if (rs.next()) return getTitleDTO(rs);
|
if (rs.next()) return getTitleDTO(rs);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("创建称号失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("创建称号失败", e, sql);
|
||||||
@ -43,8 +43,8 @@ public class TitleDTO {
|
|||||||
|
|
||||||
public static boolean delete(int id) {
|
public static boolean delete(int id) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "DELETE FROM mplt_title WHERE id = " + id + ";";
|
sql += "DELETE FROM mplt_title WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
|
||||||
if (rs != null && rs.next()) {
|
if (rs != null && rs.next()) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -126,8 +126,8 @@ public class TitleDTO {
|
|||||||
|
|
||||||
public boolean updateTitle(String title) {
|
public boolean updateTitle(String title) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title SET title = '" + title + "' WHERE id = " + this.id + ";";
|
sql += "UPDATE mplt_title SET title = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title, this.id)) {
|
||||||
if (rs != null && rs.next()) {
|
if (rs != null && rs.next()) {
|
||||||
this.title = title;
|
this.title = title;
|
||||||
return true;
|
return true;
|
||||||
@ -140,8 +140,8 @@ public class TitleDTO {
|
|||||||
|
|
||||||
public boolean updateDescription(String description) {
|
public boolean updateDescription(String description) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title SET description = '" + description + "' WHERE id = " + this.id + ";";
|
sql += "UPDATE mplt_title SET description = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, description, this.id)) {
|
||||||
if (rs != null && rs.next()) {
|
if (rs != null && rs.next()) {
|
||||||
this.description = description;
|
this.description = description;
|
||||||
return true;
|
return true;
|
||||||
|
@ -29,8 +29,8 @@ public class TitleShopDTO {
|
|||||||
|
|
||||||
public boolean setPrice(int price) {
|
public boolean setPrice(int price) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title_shop SET price = " + price + " WHERE id = " + id + ";";
|
sql += "UPDATE mplt_title_shop SET price = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, price, id)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置称号商店价格失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("设置称号商店价格失败", e, sql);
|
||||||
@ -44,8 +44,8 @@ public class TitleShopDTO {
|
|||||||
|
|
||||||
public boolean setDays(int days) {
|
public boolean setDays(int days) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title_shop SET days = " + days + " WHERE id = " + id + ";";
|
sql += "UPDATE mplt_title_shop SET days = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, days, id)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置称号商店天数失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("设置称号商店天数失败", e, sql);
|
||||||
@ -59,8 +59,8 @@ public class TitleShopDTO {
|
|||||||
|
|
||||||
public boolean setAmount(int amount) {
|
public boolean setAmount(int amount) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title_shop SET amount = " + amount + " WHERE id = " + id + ";";
|
sql += "UPDATE mplt_title_shop SET amount = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, amount, id)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置称号商店数量失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("设置称号商店数量失败", e, sql);
|
||||||
@ -73,20 +73,13 @@ public class TitleShopDTO {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public boolean setSaleEndAt(LocalDateTime dateTime) {
|
public boolean setSaleEndAt(LocalDateTime dateTime) {
|
||||||
String sql = "";
|
return setSaleEndAt(dateTime.getYear(), dateTime.getMonthValue(), dateTime.getDayOfMonth());
|
||||||
sql += "UPDATE mplt_title_shop SET sale_end_at_y = " + dateTime.getYear() + ", sale_end_at_m = " + dateTime.getMonthValue() + ", sale_end_at_d = " + dateTime.getDayOfMonth() + " WHERE id = " + id + ";";
|
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
|
||||||
return true;
|
|
||||||
} catch (Exception e) {
|
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置称号商店销售结束时间失败", e, sql);
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean setSaleEndAt(int y, int m, int d) {
|
public boolean setSaleEndAt(int y, int m, int d) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "UPDATE mplt_title_shop SET sale_end_at_y = " + y + ", sale_end_at_m = " + m + ", sale_end_at_d = " + d + " WHERE id = " + id + ";";
|
sql += "UPDATE mplt_title_shop SET sale_end_at_y = ?, sale_end_at_m = ?, sale_end_at_d = ? WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, y, m, d, id)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("设置称号商店销售结束时间失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("设置称号商店销售结束时间失败", e, sql);
|
||||||
@ -97,8 +90,8 @@ public class TitleShopDTO {
|
|||||||
public static TitleShopDTO get(Integer id) {
|
public static TitleShopDTO get(Integer id) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "SELECT id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d " +
|
sql += "SELECT id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d " +
|
||||||
"FROM mplt_title_shop WHERE id = " + id + ";";
|
"FROM mplt_title_shop WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
|
||||||
if (rs.next()) {
|
if (rs.next()) {
|
||||||
return getTitleShop(rs);
|
return getTitleShop(rs);
|
||||||
}
|
}
|
||||||
@ -145,10 +138,10 @@ public class TitleShopDTO {
|
|||||||
public static TitleShopDTO create(TitleDTO title) {
|
public static TitleShopDTO create(TitleDTO title) {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "INSERT INTO mplt_title_shop (title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d) " +
|
sql += "INSERT INTO mplt_title_shop (title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d) " +
|
||||||
"VALUES (" + title.getId() + ", 0, -1, 0, -1, -1, -1) " +
|
"VALUES (?, 0, -1, 0, -1, -1, -1) " +
|
||||||
"RETURNING " +
|
"RETURNING " +
|
||||||
"id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d;";
|
"id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title.getId())) {
|
||||||
if (rs.next()) {
|
if (rs.next()) {
|
||||||
return getTitleShop(rs);
|
return getTitleShop(rs);
|
||||||
}
|
}
|
||||||
@ -160,8 +153,8 @@ public class TitleShopDTO {
|
|||||||
|
|
||||||
public boolean delete() {
|
public boolean delete() {
|
||||||
String sql = "";
|
String sql = "";
|
||||||
sql += "DELETE FROM mplt_title_shop WHERE id = " + id + ";";
|
sql += "DELETE FROM mplt_title_shop WHERE id = ?;";
|
||||||
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
|
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
|
||||||
return true;
|
return true;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
MiniPlayerTitle.database.handleDatabaseError("删除称号商店失败", e, sql);
|
MiniPlayerTitle.database.handleDatabaseError("删除称号商店失败", e, sql);
|
||||||
|
Loading…
Reference in New Issue
Block a user