Adjustments to ensure SQL injection immunity

This commit is contained in:
Josh Deck 2024-08-22 08:24:37 -04:00
parent 2c967f701f
commit b0739e019a
1 changed files with 13 additions and 10 deletions

View File

@ -59,9 +59,9 @@ namespace TSC2.Components.CSharp
MySqlConnection conn = new MySqlConnection(_connectionString);
conn.Open();
using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "'", conn))
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "') AS result", conn))
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token=@Token) AS result", conn))
{
count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]);
int count = Convert.ToInt32(count_cmd.ExecuteScalar());
if (count == 0) // User is not already in our database
@ -98,10 +98,10 @@ namespace TSC2.Components.CSharp
MySqlConnection conn = new MySqlConnection(_connectionString);
conn.Open();
using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "'", conn))
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "') AS result", conn))
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token=@Token) AS result", conn))
{
int count = Convert.ToInt32(count_cmd.ExecuteScalar());
count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]);
int count = Convert.ToInt32(count_cmd.ExecuteScalar());
if (count == 0) // User is not already in our database
{
@ -148,8 +148,9 @@ namespace TSC2.Components.CSharp
// Set review ID to a combination of the user's unique id and the shop's
var reviewID = MainLayout.Session["id"] + "~~" + shopID;
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID='" + reviewID + "') AS result", conn))
using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID=@reviewID) AS result", conn))
{
count_cmd.Parameters.AddWithValue("@reviewID", reviewID);
int count = Convert.ToInt32(count_cmd.ExecuteScalar());
if (count == 0)
{
@ -172,7 +173,7 @@ namespace TSC2.Components.CSharp
}
catch (Exception ex)
{
await Console.Out.WriteLineAsync(ex.Message);
await Console.Out.WriteLineAsync("An exception occured when adding review.");
}
}
else
@ -189,8 +190,9 @@ namespace TSC2.Components.CSharp
MySqlConnection conn = new MySqlConnection(_connectionString);
conn.Open();
var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn);
MySqlDataReader reader = cmd.ExecuteReader();
var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn);
cmd.Parameters.AddWithValue("@shopID", shopID);
MySqlDataReader reader = cmd.ExecuteReader();
List<string> reviews = new();
while (reader.Read())
@ -208,7 +210,8 @@ namespace TSC2.Components.CSharp
MySqlConnection conn = new MySqlConnection(_connectionString);
conn.Open();
var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn);
var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn);
cmd.Parameters.AddWithValue("@shopID", shopID);
MySqlDataReader reader = cmd.ExecuteReader();
List<int> scores = new();