From b0739e019a55310f97fae60868d705ddc4146bd9 Mon Sep 17 00:00:00 2001 From: Josh Deck Date: Thu, 22 Aug 2024 08:24:37 -0400 Subject: [PATCH] Adjustments to ensure SQL injection immunity --- TSC2/Components/CSharp/DatabaseManager.cs | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/TSC2/Components/CSharp/DatabaseManager.cs b/TSC2/Components/CSharp/DatabaseManager.cs index 853c6bd..7282e7b 100644 --- a/TSC2/Components/CSharp/DatabaseManager.cs +++ b/TSC2/Components/CSharp/DatabaseManager.cs @@ -59,9 +59,9 @@ namespace TSC2.Components.CSharp MySqlConnection conn = new MySqlConnection(_connectionString); conn.Open(); - using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "'", conn)) - using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "') AS result", conn)) + using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token=@Token) AS result", conn)) { + count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]); int count = Convert.ToInt32(count_cmd.ExecuteScalar()); if (count == 0) // User is not already in our database @@ -98,10 +98,10 @@ namespace TSC2.Components.CSharp MySqlConnection conn = new MySqlConnection(_connectionString); conn.Open(); - using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "'", conn)) - using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "') AS result", conn)) + using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token=@Token) AS result", conn)) { - int count = Convert.ToInt32(count_cmd.ExecuteScalar()); + count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]); + int count = Convert.ToInt32(count_cmd.ExecuteScalar()); if (count == 0) // User is not already in our database { @@ -148,8 +148,9 @@ namespace TSC2.Components.CSharp // Set review ID to a combination of the user's unique id and the shop's var reviewID = MainLayout.Session["id"] + "~~" + shopID; - using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID='" + reviewID + "') AS result", conn)) + using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID=@reviewID) AS result", conn)) { + count_cmd.Parameters.AddWithValue("@reviewID", reviewID); int count = Convert.ToInt32(count_cmd.ExecuteScalar()); if (count == 0) { @@ -172,7 +173,7 @@ namespace TSC2.Components.CSharp } catch (Exception ex) { - await Console.Out.WriteLineAsync(ex.Message); + await Console.Out.WriteLineAsync("An exception occured when adding review."); } } else @@ -189,8 +190,9 @@ namespace TSC2.Components.CSharp MySqlConnection conn = new MySqlConnection(_connectionString); conn.Open(); - var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn); - MySqlDataReader reader = cmd.ExecuteReader(); + var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn); + cmd.Parameters.AddWithValue("@shopID", shopID); + MySqlDataReader reader = cmd.ExecuteReader(); List reviews = new(); while (reader.Read()) @@ -208,7 +210,8 @@ namespace TSC2.Components.CSharp MySqlConnection conn = new MySqlConnection(_connectionString); conn.Open(); - var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn); + var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn); + cmd.Parameters.AddWithValue("@shopID", shopID); MySqlDataReader reader = cmd.ExecuteReader(); List scores = new();