Skip to content

Commit

Permalink
Merge pull request #391 from Controllerdestiny/main
Browse files Browse the repository at this point in the history
修复: Economics.WeaponPlus 数据库可能存在注入的问题
  • Loading branch information
Controllerdestiny authored Aug 17, 2024
2 parents f53b499 + 2557c00 commit ff05e97
Showing 1 changed file with 8 additions and 10 deletions.
18 changes: 8 additions & 10 deletions Economics.WeaponPlus/WeaponPlusDB.cs
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,9 @@ public WeaponPlusDB(IDbConnection database)
public WItem[] ReadDBGetWItemsFromOwner(string owner, int ID = 0)
{
List<WItem> list = new List<WItem>();
string text = ID == 0 ? "'" : "' And itemID = " + ID;
try
{
using (QueryResult queryResult = database.QueryReader("SELECT * FROM " + tableName + " WHERE owner = '" + owner + text))
using (QueryResult queryResult = database.QueryReader("SELECT * FROM @0 WHERE `@1` And itemID = `@2`", tableName, owner, ID == 0 ? "" : ID))
{
while (queryResult.Read())
{
Expand Down Expand Up @@ -79,11 +78,11 @@ public bool WriteDB(WItem[] WItem)
{
if (ReadDBGetWItemsFromOwner(wItem.owner, wItem.id).Length == 0)
{
database.Query("INSERT INTO " + tableName + " (owner, itemName, itemID, lable, level, damage_level, scale_level, knockBack_level, useSpeed_level, shootSpeed_level, allCost) VALUES (@0, @1, @2, @3, @4, @5, @6, @7, @8, @9, @10);", wItem.owner, Lang.GetItemNameValue(wItem.id), wItem.id, wItem.lable, wItem.Level, wItem.damage_level, wItem.scale_level, wItem.knockBack_level, wItem.useSpeed_level, wItem.shootSpeed_level, wItem.allCost);
database.Query("INSERT INTO @11 (owner, itemName, itemID, lable, level, damage_level, scale_level, knockBack_level, useSpeed_level, shootSpeed_level, allCost) VALUES (@0, @1, @2, @3, @4, @5, @6, @7, @8, @9, @10);", wItem.owner, Lang.GetItemNameValue(wItem.id), wItem.id, wItem.lable, wItem.Level, wItem.damage_level, wItem.scale_level, wItem.knockBack_level, wItem.useSpeed_level, wItem.shootSpeed_level, wItem.allCost, tableName);
}
else
{
database.Query("UPDATE " + tableName + " SET lable = @0, level = @1, damage_level = @4, scale_level = @5, knockBack_level = @6, useSpeed_level = @7, shootSpeed_level = @8, allCost = @9 WHERE owner = @2 And itemID = @3;", wItem.lable, wItem.Level, wItem.owner, wItem.id, wItem.damage_level, wItem.scale_level, wItem.knockBack_level, wItem.useSpeed_level, wItem.shootSpeed_level, wItem.allCost);
database.Query("UPDATE @10 SET lable = @0, level = @1, damage_level = @4, scale_level = @5, knockBack_level = @6, useSpeed_level = @7, shootSpeed_level = @8, allCost = @9 WHERE owner = @2 And itemID = @3;", wItem.lable, wItem.Level, wItem.owner, wItem.id, wItem.damage_level, wItem.scale_level, wItem.knockBack_level, wItem.useSpeed_level, wItem.shootSpeed_level, wItem.allCost, tableName);
}
}
catch (Exception ex)
Expand All @@ -107,10 +106,10 @@ public bool WriteDB(WItem? WItem)
{
if (ReadDBGetWItemsFromOwner(WItem.owner, WItem.id).Length == 0)
{
database.Query("INSERT INTO " + tableName + " (owner, itemName, itemID, lable, level, damage_level, scale_level, knockBack_level, useSpeed_level, shootSpeed_level, allCost) VALUES (@0, @1, @2, @3, @4, @5, @6, @7, @8, @9, @10);", WItem.owner, Lang.GetItemNameValue(WItem.id), WItem.id, WItem.lable, WItem.Level, WItem.damage_level, WItem.scale_level, WItem.knockBack_level, WItem.useSpeed_level, WItem.shootSpeed_level, WItem.allCost);
database.Query("INSERT INTO @11 (owner, itemName, itemID, lable, level, damage_level, scale_level, knockBack_level, useSpeed_level, shootSpeed_level, allCost) VALUES (@0, @1, @2, @3, @4, @5, @6, @7, @8, @9, @10);", WItem.owner, Lang.GetItemNameValue(WItem.id), WItem.id, WItem.lable, WItem.Level, WItem.damage_level, WItem.scale_level, WItem.knockBack_level, WItem.useSpeed_level, WItem.shootSpeed_level, WItem.allCost, tableName);
return true;
}
database.Query("UPDATE " + tableName + " SET lable = @0, level = @1, damage_level = @4, scale_level = @5, knockBack_level = @6, useSpeed_level = @7, shootSpeed_level = @8, allCost = @9 WHERE owner = @2 And itemID = @3;", WItem.lable, WItem.Level, WItem.owner, WItem.id, WItem.damage_level, WItem.scale_level, WItem.knockBack_level, WItem.useSpeed_level, WItem.shootSpeed_level, WItem.allCost);
database.Query("UPDATE @10 SET lable = @0, level = @1, damage_level = @4, scale_level = @5, knockBack_level = @6, useSpeed_level = @7, shootSpeed_level = @8, allCost = @9 WHERE owner = @2 And itemID = @3;", WItem.lable, WItem.Level, WItem.owner, WItem.id, WItem.damage_level, WItem.scale_level, WItem.knockBack_level, WItem.useSpeed_level, WItem.shootSpeed_level, WItem.allCost, tableName);
return true;
}
catch (Exception ex)
Expand All @@ -128,8 +127,7 @@ public bool DeleteDB(string owner, int ID = 0)
{
try
{
string text = ID == 0 ? "'" : "' And itemID = " + ID;
database.Query("DELETE FROM " + tableName + " WHERE owner = '" + owner + text);
database.Query("DELETE FROM @0 WHERE owner = `@1` And itemID = `@2`", tableName, owner, ID == 0 ? "" : ID);
return true;
}
catch (Exception ex)
Expand All @@ -147,8 +145,8 @@ public bool DeleteDBAll()
{
try
{
database.Query("DROP TABLE " + tableName);
global::Economics.WeaponPlus.WeaponPlus.DB = new WeaponPlusDB(TShock.DB);
database.Query("DROP TABLE @0", tableName);
WeaponPlus.DB = new WeaponPlusDB(TShock.DB);
return true;
}
catch (Exception ex)
Expand Down

0 comments on commit ff05e97

Please sign in to comment.