Solved Problems running SQL queries

Discussion in 'BungeeCord Plugin Development' started by Remy2402, Apr 2, 2016.

  1. Heyo! So I am currently running this plugin that logs every command that is run along with the user, the time, and the ip. But it seems when I use a ' character in the command, it spits out a huge error. I have tried using the other fancy symbol as well with no luck. Here is a screenshot of my query code.

    [​IMG]

    Thanks
     
  2. Hey, SQL Injection, how are you doing there?
    Aka, use PreparedStatements
     
  3. I am using PreparedStatements lmao
     
  4. m8
    You're not doing it properly
    The way you did it now is
    blaBla.prepareStatement(<SQL CODE HERE>).executeUpdate();

    That's equally as vulnerable as just blaBla.executeUpdate(<SQL CODE HERE>);

    You need to:
    PreparedStatement preparedStatement = blaBla.prepareStatement("INSERT INTO commandlogs VALUES(?, ?, ?, ?)");
    preparedStatement.setString(1, puuid);
    preparedStatement.setString(2, command);
    preparedStatement.setLong(3, currentTime);
    preparedStatement.setString(4, ip);
    preparedStatement.executeUpdate()
     
  5. Alright thanks for your help. Let me give that a go.
     
  6. That works perfectly now! Thanks for your help and for picking me up on the SQL Injection vulnerability :D