Adjustments to ensure SQL injection immunity

TSC2/Components/CSharp/DatabaseManager.cs

@@ -59,9 +59,9 @@ namespace TSC2.Components.CSharp
             MySqlConnection conn = new MySqlConnection(_connectionString);
             conn.Open();
 
-            using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "'", conn))
+            using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token=@Token) AS result", conn))
-            using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Google' AND Token='" + MainLayout.Session["id"] + "') AS result", conn))
             {
+                count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]);
                 int count = Convert.ToInt32(count_cmd.ExecuteScalar());
 
                 if (count == 0) // User is not already in our database
@@ -98,10 +98,10 @@ namespace TSC2.Components.CSharp
             MySqlConnection conn = new MySqlConnection(_connectionString);
             conn.Open();
 
-            using (var cmd = new MySqlCommand("SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "'", conn))
+            using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token=@Token) AS result", conn))
-            using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM userinformation WHERE Platform='Facebook' AND Token='" + MainLayout.Session["id"] + "') AS result", conn))
             {
-                int count = Convert.ToInt32(count_cmd.ExecuteScalar());
+				count_cmd.Parameters.AddWithValue("@Token", MainLayout.Session["id"]);
+				int count = Convert.ToInt32(count_cmd.ExecuteScalar());
 
                 if (count == 0) // User is not already in our database
                 {
@@ -148,8 +148,9 @@ namespace TSC2.Components.CSharp
 			// Set review ID to a combination of the user's unique id and the shop's
 			var reviewID = MainLayout.Session["id"] + "~~" + shopID;
 
-			using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID='" + reviewID + "') AS result", conn))
+			using (var count_cmd = new MySqlCommand("SELECT COUNT(*) FROM (SELECT * FROM reviews WHERE ReviewID=@reviewID) AS result", conn))
             {
+                count_cmd.Parameters.AddWithValue("@reviewID", reviewID);
 				int count = Convert.ToInt32(count_cmd.ExecuteScalar());
                 if (count == 0)
                 {
@@ -172,7 +173,7 @@ namespace TSC2.Components.CSharp
 					}
 					catch (Exception ex)
 					{
-						await Console.Out.WriteLineAsync(ex.Message);
+						await Console.Out.WriteLineAsync("An exception occured when adding review.");
 					}
 				}
                 else
@@ -189,8 +190,9 @@ namespace TSC2.Components.CSharp
 			MySqlConnection conn = new MySqlConnection(_connectionString);
 			conn.Open();
 
-            var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn);
+			var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn);
-            MySqlDataReader reader = cmd.ExecuteReader();
+			cmd.Parameters.AddWithValue("@shopID", shopID);
+			MySqlDataReader reader = cmd.ExecuteReader();
 
             List<string> reviews = new();
             while (reader.Read())
@@ -208,7 +210,8 @@ namespace TSC2.Components.CSharp
 			MySqlConnection conn = new MySqlConnection(_connectionString);
 			conn.Open();
 
-			var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE '%~~" + shopID + "'", conn);
+			var cmd = new MySqlCommand("SELECT * FROM reviews WHERE ReviewID LIKE CONCAT('%~~', @shopID, '%');", conn);
+            cmd.Parameters.AddWithValue("@shopID", shopID);
 			MySqlDataReader reader = cmd.ExecuteReader();
 
             List<int> scores = new();