zhangyuheng/MiniPlayerTitle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 44 Wiki Activity

更新了数据库查询方式,避免注入

Browse Source
This commit is contained in:
zhangyuheng 2024-05-21 13:00:12 +08:00
parent df812863d0
commit f714526248
4 changed files with 38 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/main/java/cn/lunadeer/miniplayertitle/dtos/PlayerInfoDTO.java
View File

@ -13,8 +13,8 @@ public class PlayerInfoDTO {
public static PlayerInfoDTO get(UUID uuid) {
String sql = "";
sql = "SELECT uuid, coin, using_title_id FROM mplt_player_info WHERE uuid = '" + uuid.toString() + "';";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql = "SELECT uuid, coin, using_title_id FROM mplt_player_info WHERE uuid = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, uuid)) {
if (rs.next()) return getPlayerInfoDTO(rs);
else return create(uuid);
} catch (Exception e) {
@ -26,9 +26,9 @@ public class PlayerInfoDTO {
private static PlayerInfoDTO create(UUID uuid) {
String sql = "";
sql = "INSERT INTO mplt_player_info (uuid, coin) " +
"VALUES ('" + uuid.toString() + "', " + MiniPlayerTitle.config.getDefaultCoin() + ") " +
"VALUES (?, ?) " +
"ON CONFLICT DO NOTHING;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
try (ResultSet rs = MiniPlayerTitle.database.query(sql, uuid, MiniPlayerTitle.config.getDefaultCoin())) {
return get(uuid);
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("创建玩家信息失败", e, sql);
@ -54,8 +54,8 @@ public class PlayerInfoDTO {
public boolean setUsingTitle(TitleDTO title) {
String sql = "";
sql = "UPDATE mplt_player_info SET using_title_id = " + title.getId() + " WHERE uuid = '" + uuid.toString() + "';";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql = "UPDATE mplt_player_info SET using_title_id = ? WHERE uuid = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title.getId(), uuid)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置玩家使用称号失败", e, sql);
@ -69,8 +69,8 @@ public class PlayerInfoDTO {
public boolean setCoin(Integer coin) {
String sql = "";
sql = "UPDATE mplt_player_info SET coin = " + coin + " WHERE uuid = '" + uuid.toString() + "';";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql = "UPDATE mplt_player_info SET coin = ? WHERE uuid = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, coin, uuid)) {
this.coin = coin;
return true;
} catch (Exception e) {

14
src/main/java/cn/lunadeer/miniplayertitle/dtos/PlayerTitleDTO.java
View File

@ -52,13 +52,13 @@ public class PlayerTitleDTO {
sql += "INSERT INTO mplt_player_title (player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d) ";
if (expire_at == null) {
sql += "VALUES ('" + player_uuid.toString() + "', " + title.getId() + ", -1, -1, -1) ";
sql += "VALUES (?, ? , -1, -1, -1) ";
} else {
sql += "VALUES ('" + player_uuid.toString() + "', " + title.getId() + ", " + expire_at.getYear() + ", " + expire_at.getMonthValue() + ", " + expire_at.getDayOfMonth() + ") ";
sql += "VALUES (?, ?, " + expire_at.getYear() + ", " + expire_at.getMonthValue() + ", " + expire_at.getDayOfMonth() + ") ";
}
sql += "RETURNING " +
"id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
try (ResultSet rs = MiniPlayerTitle.database.query(sql, player_uuid, title.getId())) {
if (rs.next()) {
return getRs(rs);
}
@ -71,8 +71,8 @@ public class PlayerTitleDTO {
public static PlayerTitleDTO get(Integer id) {
String sql = "";
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
"WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
"WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
if (rs.next()) {
return getRs(rs);
}
@ -101,9 +101,9 @@ public class PlayerTitleDTO {
public static List<PlayerTitleDTO> getAllOf(UUID player_uuid) {
String sql = "";
sql += "SELECT id, player_uuid, title_id, expire_at_y, expire_at_m, expire_at_d FROM mplt_player_title " +
"WHERE player_uuid = '" + player_uuid.toString() + "';";
"WHERE player_uuid = ?;";
List<PlayerTitleDTO> playerTitles = new ArrayList<>();
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
try (ResultSet rs = MiniPlayerTitle.database.query(sql, player_uuid)) {
while (rs.next()) {
playerTitles.add(getRs(rs));
}

16
src/main/java/cn/lunadeer/miniplayertitle/dtos/TitleDTO.java
View File

@ -30,10 +30,10 @@ public class TitleDTO {
public static TitleDTO create(String title, String description) {
String sql = "";
sql += "INSERT INTO mplt_title (title, description) " +
"VALUES ('" + title + "', '" + description + "') " +
"VALUES (?, ?) " +
"RETURNING " +
"id, title, description;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title, description)) {
if (rs.next()) return getTitleDTO(rs);
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("创建称号失败", e, sql);
@ -43,8 +43,8 @@ public class TitleDTO {
public static boolean delete(int id) {
String sql = "";
sql += "DELETE FROM mplt_title WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "DELETE FROM mplt_title WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
if (rs != null && rs.next()) {
return true;
}
@ -126,8 +126,8 @@ public class TitleDTO {
public boolean updateTitle(String title) {
String sql = "";
sql += "UPDATE mplt_title SET title = '" + title + "' WHERE id = " + this.id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title SET title = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title, this.id)) {
if (rs != null && rs.next()) {
this.title = title;
return true;
@ -140,8 +140,8 @@ public class TitleDTO {
public boolean updateDescription(String description) {
String sql = "";
sql += "UPDATE mplt_title SET description = '" + description + "' WHERE id = " + this.id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title SET description = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, description, this.id)) {
if (rs != null && rs.next()) {
this.description = description;
return true;

37
src/main/java/cn/lunadeer/miniplayertitle/dtos/TitleShopDTO.java
View File

@ -29,8 +29,8 @@ public class TitleShopDTO {
public boolean setPrice(int price) {
String sql = "";
sql += "UPDATE mplt_title_shop SET price = " + price + " WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title_shop SET price = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, price, id)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置称号商店价格失败", e, sql);
@ -44,8 +44,8 @@ public class TitleShopDTO {
public boolean setDays(int days) {
String sql = "";
sql += "UPDATE mplt_title_shop SET days = " + days + " WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title_shop SET days = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, days, id)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置称号商店天数失败", e, sql);
@ -59,8 +59,8 @@ public class TitleShopDTO {
public boolean setAmount(int amount) {
String sql = "";
sql += "UPDATE mplt_title_shop SET amount = " + amount + " WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title_shop SET amount = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, amount, id)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置称号商店数量失败", e, sql);
@ -73,20 +73,13 @@ public class TitleShopDTO {
}
public boolean setSaleEndAt(LocalDateTime dateTime) {
String sql = "";
sql += "UPDATE mplt_title_shop SET sale_end_at_y = " + dateTime.getYear() + ", sale_end_at_m = " + dateTime.getMonthValue() + ", sale_end_at_d = " + dateTime.getDayOfMonth() + " WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置称号商店销售结束时间失败", e, sql);
}
return false;
return setSaleEndAt(dateTime.getYear(), dateTime.getMonthValue(), dateTime.getDayOfMonth());
}
public boolean setSaleEndAt(int y, int m, int d) {
String sql = "";
sql += "UPDATE mplt_title_shop SET sale_end_at_y = " + y + ", sale_end_at_m = " + m + ", sale_end_at_d = " + d + " WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "UPDATE mplt_title_shop SET sale_end_at_y = ?, sale_end_at_m = ?, sale_end_at_d = ? WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, y, m, d, id)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("设置称号商店销售结束时间失败", e, sql);
@ -97,8 +90,8 @@ public class TitleShopDTO {
public static TitleShopDTO get(Integer id) {
String sql = "";
sql += "SELECT id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d " +
"FROM mplt_title_shop WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
"FROM mplt_title_shop WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
if (rs.next()) {
return getTitleShop(rs);
}
@ -145,10 +138,10 @@ public class TitleShopDTO {
public static TitleShopDTO create(TitleDTO title) {
String sql = "";
sql += "INSERT INTO mplt_title_shop (title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d) " +
"VALUES (" + title.getId() + ", 0, -1, 0, -1, -1, -1) " +
"VALUES (?, 0, -1, 0, -1, -1, -1) " +
"RETURNING " +
"id, title_id, price, days, amount, sale_end_at_y, sale_end_at_m, sale_end_at_d;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
try (ResultSet rs = MiniPlayerTitle.database.query(sql, title.getId())) {
if (rs.next()) {
return getTitleShop(rs);
}
@ -160,8 +153,8 @@ public class TitleShopDTO {
public boolean delete() {
String sql = "";
sql += "DELETE FROM mplt_title_shop WHERE id = " + id + ";";
try (ResultSet rs = MiniPlayerTitle.database.query(sql)) {
sql += "DELETE FROM mplt_title_shop WHERE id = ?;";
try (ResultSet rs = MiniPlayerTitle.database.query(sql, id)) {
return true;
} catch (Exception e) {
MiniPlayerTitle.database.handleDatabaseError("删除称号商店失败", e, sql);