diff --git a/Blocks/Behaviour/WalkthroughBehaviour.cs b/Blocks/Behaviour/WalkthroughBehaviour.cs index 7306b260f..53ae5c7cc 100644 --- a/Blocks/Behaviour/WalkthroughBehaviour.cs +++ b/Blocks/Behaviour/WalkthroughBehaviour.cs @@ -38,8 +38,8 @@ namespace MCGalaxy.BlockBehaviour { p.RevertBlock(x, y, z); try { //safe against SQL injections because no user input is given here - DataTable Portals = Database.fillData("SELECT * FROM `Portals" + p.level.name + - "` WHERE EntryX=" + x + " AND EntryY=" + y + " AND EntryZ=" + z); + DataTable Portals = Database.Fill("SELECT * FROM `Portals" + p.level.name + + "` WHERE EntryX=@0 AND EntryY=@1 AND EntryZ=@2", x, y, z); int last = Portals.Rows.Count - 1; if (last == -1) { Portals.Dispose(); return true; } byte rotX = p.rot[0], rotY = p.rot[1]; @@ -75,8 +75,8 @@ namespace MCGalaxy.BlockBehaviour { p.RevertBlock(x, y, z); try { //safe against SQL injections because no user input is given here - DataTable Messages = Database.fillData("SELECT * FROM `Messages" + p.level.name + - "` WHERE X=" + x + " AND Y=" + y + " AND Z=" + z); + DataTable Messages = Database.Fill("SELECT * FROM `Messages" + p.level.name + + "` WHERE X=@0 AND Y=@1 AND Z=@2", x, y, z); int last = Messages.Rows.Count - 1; if (last == -1) { Messages.Dispose(); return true; } string message = Messages.Rows[last]["Message"].ToString().Trim(); diff --git a/Commands/Chat/CmdInbox.cs b/Commands/Chat/CmdInbox.cs index 16e90c92c..a225ca926 100644 --- a/Commands/Chat/CmdInbox.cs +++ b/Commands/Chat/CmdInbox.cs @@ -37,7 +37,7 @@ namespace MCGalaxy.Commands { if (message == "") { //safe against SQL injections because no user input is given here - using (DataTable Inbox = Database.fillData("SELECT * FROM `Inbox" + p.name + "` ORDER BY TimeSent")) { + using (DataTable Inbox = Database.Fill("SELECT * FROM `Inbox" + p.name + "` ORDER BY TimeSent")) { if (Inbox.Rows.Count == 0) { Player.Message(p, "No messages found."); return; } int i = 0; foreach (DataRow row in Inbox.Rows) { @@ -85,7 +85,7 @@ namespace MCGalaxy.Commands { if (num < 0) { Player.Message(p, "Message number must be greater than or equal to 0."); return; } //safe against SQL injections because no user input is given here - using (DataTable Inbox = Database.fillData("SELECT * FROM `Inbox" + p.name + "` ORDER BY TimeSent")) { + using (DataTable Inbox = Database.Fill("SELECT * FROM `Inbox" + p.name + "` ORDER BY TimeSent")) { if (num >= Inbox.Rows.Count) { Player.Message(p, "Message number \"" + num + "\" does not exist."); Inbox.Dispose(); return; } diff --git a/Commands/Information/CmdAbout.cs b/Commands/Information/CmdAbout.cs index c64fcd4a0..98596370c 100644 --- a/Commands/Information/CmdAbout.cs +++ b/Commands/Information/CmdAbout.cs @@ -50,7 +50,8 @@ namespace MCGalaxy.Commands { bool foundOne = false; //safe against SQL injections because no user input is given here - DataTable Blocks = Database.fillData("SELECT * FROM `Block" + p.level.name + "` WHERE X=" + (int)x + " AND Y=" + (int)y + " AND Z=" + (int)z); + DataTable Blocks = Database.Fill("SELECT * FROM `Block" + p.level.name + + "` WHERE X=@0 AND Y=@1 AND Z=@2", x, y, z); for (int i = 0; i < Blocks.Rows.Count; i++) { foundOne = true; DataRow row = Blocks.Rows[i]; diff --git a/Commands/building/CmdMessageBlock.cs b/Commands/building/CmdMessageBlock.cs index 52fe00a79..dc0d17c22 100644 --- a/Commands/building/CmdMessageBlock.cs +++ b/Commands/building/CmdMessageBlock.cs @@ -106,16 +106,13 @@ namespace MCGalaxy.Commands.Building { cpos.message = cpos.message.Replace("'", "\\'"); cpos.message = Colors.EscapeColors(cpos.message); //safe against SQL injections because no user input is given here - ParameterisedQuery query = ParameterisedQuery.Create(); - DataTable Messages = Database.fillData(query, "SELECT * FROM `Messages" + p.level.name + "` WHERE X=" + x + " AND Y=" + y + " AND Z=" + z); - - query.AddParam("@Message", cpos.message); - if (Messages.Rows.Count == 0) - Database.executeQuery(query, "INSERT INTO `Messages" + p.level.name + "` (X, Y, Z, Message) VALUES (" + x + ", " + y + ", " + z + ", @Message)"); - else - Database.executeQuery(query, "UPDATE `Messages" + p.level.name + "` SET Message=@Message WHERE X=" + x + " AND Y=" + y + " AND Z=" + z); - + DataTable Messages = Database.Fill("SELECT * FROM `Messages" + p.level.name + "` WHERE X=@0 AND Y=@1 AND Z=@2", x, y, z); Messages.Dispose(); + + string syntax = Messages.Rows.Count == 0 ? + "INSERT INTO `Messages" + p.level.name + "` (X, Y, Z, Message) VALUES (@0, @1, @2, @3)" + : "UPDATE `Messages" + p.level.name + "` SET X=@0, Y=@1, Z=@2, Message=@3"; + Database.Execute(syntax, x, y, z, cpos.message); } struct CatchPos { public string message; public byte type; } diff --git a/Commands/building/CmdPortal.cs b/Commands/building/CmdPortal.cs index 67285e934..41b3b4fd2 100644 --- a/Commands/building/CmdPortal.cs +++ b/Commands/building/CmdPortal.cs @@ -91,17 +91,14 @@ namespace MCGalaxy.Commands.Building { foreach (PortalPos pos in bp.entries) { //safe against SQL injections because no user input is given here - DataTable Portals = Database.fillData("SELECT * FROM `Portals" + pos.mapName + "` WHERE EntryX=" + (int)pos.x + " AND EntryY=" + (int)pos.y + " AND EntryZ=" + (int)pos.z); + DataTable Portals = Database.Fill("SELECT * FROM `Portals" + pos.mapName + + "` WHERE EntryX=@0 AND EntryY=@1 AND EntryZ=@2", pos.x, pos.y, pos.z); Portals.Dispose(); - - if (Portals.Rows.Count == 0) {//safe against SQL injections because no user input is given here - Database.executeQuery("INSERT INTO `Portals" + pos.mapName + "` (EntryX, EntryY, EntryZ, ExitMap, ExitX, ExitY, ExitZ) VALUES (" - + (int)pos.x + ", " + (int)pos.y + ", " + (int)pos.z + ", '" + p.level.name + "', " + (int)x + ", " + (int)y + ", " + (int)z + ")"); - } else {//safe against SQL injections because no user input is given here - Database.executeQuery("UPDATE `Portals" + pos.mapName + "` SET ExitMap='" + p.level.name + "', ExitX=" + (int)x + ", ExitY=" + (int)y + ", ExitZ=" + - (int)z + " WHERE EntryX=" + (int)pos.x + " AND EntryY=" + (int)pos.y + " AND EntryZ=" + (int)pos.z); - } - //DB + + string syntax = Portals.Rows.Count == 0 ? + "INSERT INTO `Portals" + pos.mapName + "` (EntryX, EntryY, EntryZ, ExitX, ExitY, ExitZ, ExitMap) VALUES (@0, @1, @2, @3, @4, @5, @6)" + : "UPDATE `Portals" + pos.mapName + "` SET ExitMap=@6, ExitX=@3, ExitY=@4, ExitZ=@5 WHERE EntryX=@0 AND EntryY=@1 AND EntryZ=@2"; + Database.Execute(syntax, pos.x, pos.y, pos.z, x, y, z, p.level.name); if (pos.mapName == p.level.name) p.SendBlockchange(pos.x, pos.y, pos.z, bp.type); @@ -120,7 +117,7 @@ namespace MCGalaxy.Commands.Building { void ShowPortals(Player p) { p.showPortals = !p.showPortals; //safe against SQL injections because no user input is given here - DataTable Portals = Database.fillData("SELECT * FROM `Portals" + p.level.name + "`"); + DataTable Portals = Database.Fill("SELECT * FROM `Portals" + p.level.name + "`"); if (p.showPortals) { foreach (DataRow row in Portals.Rows) { diff --git a/Database/Database.cs b/Database/Database.cs index 5dea092ce..3b6d94f02 100644 --- a/Database/Database.cs +++ b/Database/Database.cs @@ -56,13 +56,13 @@ namespace MCGalaxy.SQL { } [Obsolete("Use Fill() method instead.")] - public static DataTable fillData(string queryString) { + public static DataTable fillData(string queryString, bool skipError = false) { ParameterisedQuery query = Server.useMySQL ? MySQL.query : SQLite.query; return Fill(query, queryString, null); } [Obsolete("Use Fill() method instead.")] - public static DataTable fillData(ParameterisedQuery query, string queryString) { + public static DataTable fillData(ParameterisedQuery query, string queryString, bool skipError = false) { return Fill(query, queryString, null); } diff --git a/Economy/Economy.cs b/Economy/Economy.cs index 8d7651c50..16effdefb 100644 --- a/Economy/Economy.cs +++ b/Economy/Economy.cs @@ -113,11 +113,9 @@ namespace MCGalaxy { } public static EcoStats RetrieveEcoStats(string playername) { - EcoStats es; + EcoStats es = default(EcoStats); es.playerName = playername; - ParameterisedQuery query = ParameterisedQuery.Create(); - query.AddParam("@Name", playername); - using (DataTable eco = Database.fillData(query, "SELECT * FROM Economy WHERE player=@Name")) { + using (DataTable eco = Database.Fill("SELECT * FROM Economy WHERE player=@0", playername)) { if (eco.Rows.Count >= 1) { es.money = int.Parse(eco.Rows[0]["money"].ToString()); es.totalSpent = int.Parse(eco.Rows[0]["total"].ToString()); @@ -126,8 +124,6 @@ namespace MCGalaxy { es.salary = eco.Rows[0]["salary"].ToString(); es.fine = eco.Rows[0]["fine"].ToString(); } else { - es.money = 0; - es.totalSpent = 0; es.purchase = "%cNone"; es.payment = "%cNone"; es.salary = "%cNone"; diff --git a/Levels/LevelDB.cs b/Levels/LevelDB.cs index 6bd02901d..97d0d2943 100644 --- a/Levels/LevelDB.cs +++ b/Levels/LevelDB.cs @@ -158,8 +158,8 @@ namespace MCGalaxy { } public static void CreateZone(string level, Level.Zone zn) { - Database.Execute("INSERT INTO `Zone" + level + "` (Owner, SmallX, SmallY, SmallZ, " + - "BigX, BigY, BigZ, Owner) VALUES (@0, @1, @2, @3, @4, @5, @6)", + Database.Execute("INSERT INTO `Zone" + level + "` (Owner, SmallX, SmallY, " + + "SmallZ, BigX, BigY, BigZ) VALUES (@0, @1, @2, @3, @4, @5, @6)", zn.Owner, zn.smallX, zn.smallY, zn.smallZ, zn.bigX, zn.bigY, zn.bigZ); }