From 00bc513e6eb47ecc8d9faaab31a85c6c54d7c4f8 Mon Sep 17 00:00:00 2001 From: Cadyn Date: Wed, 27 Jan 2021 10:51:12 -0800 Subject: [PATCH] Implementing TGSQL security --- code/_helpers/logging.dm | 56 +++++++++++++---- code/_helpers/logging_vr.dm | 18 +++++- code/controllers/subsystems/dbcore.dm | 2 + code/controllers/subsystems/persist_vr.dm | 5 +- code/defines/procs/statistics.dm | 10 +++- code/game/world.dm | 1 + code/modules/admin/DB ban/functions.dm | 60 +++++++++++-------- code/modules/admin/IsBanned.dm | 6 +- code/modules/admin/admin_ranks.dm | 1 + code/modules/admin/admin_tools.dm | 3 +- code/modules/admin/banjob.dm | 3 +- .../admin/permissionverbs/permissionedit.dm | 12 +++- .../admin/verbs/check_customitem_activity.dm | 5 +- code/modules/client/client procs.dm | 34 +++++++---- code/modules/library/lib_machines.dm | 26 +++++--- code/modules/mob/new_player/new_player.dm | 14 +++-- code/modules/mob/new_player/poll.dm | 59 +++++++++--------- code/modules/research/message_server.dm | 10 ++-- code/modules/tgs/v5/chat_commands.dm | 21 ++++--- 19 files changed, 228 insertions(+), 118 deletions(-) diff --git a/code/_helpers/logging.dm b/code/_helpers/logging.dm index 054a975638..56f2882957 100644 --- a/code/_helpers/logging.dm +++ b/code/_helpers/logging.dm @@ -65,7 +65,7 @@ if (config.log_say) WRITE_LOG(diary, "SAY: [speaker.simple_info_line()]: [html_decode(text)]") - //Log the message to in-game dialogue logs, as well. + //Log the message to in-game dialogue logs, as well. //CHOMPEdit Begin if(speaker.client) //speaker.dialogue_log += "([time_stamp()]) ([speaker]/[speaker.client]) SAY: - [text]" if(!SSdbcore.IsConnected()) @@ -75,8 +75,12 @@ var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "say", "message_content" = text)) if(!query_insert.Execute()) - log_debug(query_insert.ErrorMsg()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //GLOB.round_text_log += "([time_stamp()]) ([speaker]/[speaker.client]) SAY: - [text]" + //CHOMPEdit End /proc/log_ooc(text, client/user) if (config.log_ooc) @@ -87,7 +91,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "ooc", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //GLOB.round_text_log += "([time_stamp()]) ([user]) OOC: - [text]" /proc/log_aooc(text, client/user) @@ -99,7 +107,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "aooc", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //GLOB.round_text_log += "([time_stamp()]) ([user]) AOOC: - [text]" /proc/log_looc(text, client/user) @@ -111,7 +123,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "looc", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //GLOB.round_text_log += "([time_stamp()]) ([user]) LOOC: - [text]" /proc/log_whisper(text, mob/speaker) @@ -127,7 +143,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "whisper", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) /proc/log_emote(text, mob/speaker) @@ -143,7 +163,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "emote", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //CHOMPEdit End /proc/log_attack(attacker, defender, message) @@ -173,7 +197,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "deadsay", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //speaker.dialogue_log += "([time_stamp()]) ([speaker]/[speaker.client]) DEADSAY: - [text]" //GLOB.round_text_log += "([time_stamp()]) ([src]/[speaker.client]) DEADSAY: - [text]" //CHOMPEdit End @@ -189,7 +217,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "deademote", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //CHOMPEdit End /proc/log_adminwarn(text) @@ -207,7 +239,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "pda", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //speaker.dialogue_log += "([time_stamp()]) ([speaker]/[speaker.client]) MSG: - [text]" //GLOB.round_text_log += "([time_stamp()]) ([speaker]/[speaker.client]) MSG: - [text]" diff --git a/code/_helpers/logging_vr.dm b/code/_helpers/logging_vr.dm index ddd5099d2a..7771b49482 100644 --- a/code/_helpers/logging_vr.dm +++ b/code/_helpers/logging_vr.dm @@ -9,7 +9,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "nsay", "message_content" = text)) - query_insert.ErrorMsg() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //CHOMPEdit End /proc/log_nme(text, inside, mob/speaker) @@ -23,7 +27,11 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "nme", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //CHOMPEdit End /proc/log_subtle(text, mob/speaker) @@ -37,5 +45,9 @@ return null var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \ list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "subtle", "message_content" = text)) - query_insert.Execute() + if(!query_insert.Execute()) + log_debug("Error during logging: "+query_insert.ErrorMsg()) + qdel(query_insert) + return + qdel(query_insert) //CHOMPEdit End diff --git a/code/controllers/subsystems/dbcore.dm b/code/controllers/subsystems/dbcore.dm index dd45e05290..09dce0c13c 100644 --- a/code/controllers/subsystems/dbcore.dm +++ b/code/controllers/subsystems/dbcore.dm @@ -22,6 +22,8 @@ SUBSYSTEM_DEF(dbcore) for(var/I in active_queries) var/DBQuery/Q = I if(world.time - Q.last_activity_time > (5 MINUTES)) + message_admins("Found undeleted query, please check the server logs and notify coders.") + log_debug("Undeleted query: \"[Q.sql]\" LA: [Q.last_activity] LAT: [Q.last_activity_time]") qdel(Q) if(MC_TICK_CHECK) return diff --git a/code/controllers/subsystems/persist_vr.dm b/code/controllers/subsystems/persist_vr.dm index e8b1e874b2..c571c532e4 100644 --- a/code/controllers/subsystems/persist_vr.dm +++ b/code/controllers/subsystems/persist_vr.dm @@ -84,10 +84,11 @@ SUBSYSTEM_DEF(persist) var/sql_dpt = sql_sanitize_text(department_earning) var/sql_bal = text2num("[C.department_hours[department_earning]]") var/sql_total = text2num("[C.play_hours[department_earning]]") - var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO vr_player_hours (ckey, department, hours, total_hours) VALUES ('[sql_ckey]', '[sql_dpt]', [sql_bal], [sql_total]) ON DUPLICATE KEY UPDATE hours = VALUES(hours), total_hours = VALUES(total_hours)") //CHOMPEdit TGSQL + var/list/sqlargs = list("t_ckey" = sql_ckey, "t_department" = sql_dpt) //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO vr_player_hours (ckey, department, hours, total_hours) VALUES (:t_ckey, :t_department, [sql_bal], [sql_total]) ON DUPLICATE KEY UPDATE hours = VALUES(hours), total_hours = VALUES(total_hours)", sqlargs) //CHOMPEdit TGSQL if(!query.Execute()) //CHOMPEdit log_admin(query.ErrorMsg()) //CHOMPEdit - + qdel(query) //CHOMPEdit TGSQL if (MC_TICK_CHECK) return diff --git a/code/defines/procs/statistics.dm b/code/defines/procs/statistics.dm index 61fd8fc6ed..05ab212535 100644 --- a/code/defines/procs/statistics.dm +++ b/code/defines/procs/statistics.dm @@ -15,6 +15,7 @@ proc/sql_poll_population() if(!query.Execute()) var/err = query.ErrorMsg() log_game("SQL ERROR during population polling. Error : \[[err]\]\n") + qdel(query) //CHOMPEdit TGSQL proc/sql_report_round_start() // TODO @@ -53,10 +54,11 @@ proc/sql_report_death(var/mob/living/carbon/human/H) if(!SSdbcore.IsConnected()) //CHOMPEdit TGSQL log_game("SQL ERROR during death reporting. Failed to connect.") else - var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES (:t_name, :t_byondkey, :t_job, :t_special, :t_pod, '[sqltime]', :t_laname, :t_lakey, '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')", list("t_name" = sqlname,"t_byondkey" = sqlkey, "t_job" = sqljob, "t_special" = sqlspecial, "t_pod" = sqlpod, "t_laname" = laname, "t_lakey" = lakey)) //CHOMPEdit TGSQL if(!query.Execute()) var/err = query.ErrorMsg() log_game("SQL ERROR during death reporting. Error : \[[err]\]\n") + qdel(query) //CHOMPEdit TGSQL proc/sql_report_cyborg_death(var/mob/living/silicon/robot/H) @@ -87,10 +89,11 @@ proc/sql_report_cyborg_death(var/mob/living/silicon/robot/H) if(!SSdbcore.IsConnected()) //CHOMPEdit TGSQL log_game("SQL ERROR during death reporting. Failed to connect.") else - var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES (:t_name, :t_byondkey, :t_job, :t_special, :t_pod, '[sqltime]', :t_laname, :t_lakey, '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')", list("t_name" = sqlname,"t_byondkey" = sqlkey, "t_job" = sqljob, "t_special" = sqlspecial, "t_pod" = sqlpod, "t_laname" = laname, "t_lakey" = lakey)) //CHOMPEdit TGSQL if(!query.Execute()) var/err = query.ErrorMsg() log_game("SQL ERROR during death reporting. Error : \[[err]\]\n") + qdel(query) //CHOMPEdit TGSQL proc/statistic_cycle() @@ -126,7 +129,7 @@ proc/sql_commit_feedback() while(max_query.NextRow()) newroundid = max_query.item[1] - + qdel(max_query) //CHOMPEdit TGSQL if(!(isnum(newroundid))) newroundid = text2num(newroundid) @@ -143,3 +146,4 @@ proc/sql_commit_feedback() if(!query.Execute()) var/err = query.ErrorMsg() log_game("SQL ERROR during death reporting. Error : \[[err]\]\n") + qdel(query) //CHOMPEdit TGSQL diff --git a/code/game/world.dm b/code/game/world.dm index d87f0eb25f..0c1828e7fc 100644 --- a/code/game/world.dm +++ b/code/game/world.dm @@ -573,6 +573,7 @@ var/failed_old_db_connections = 0 if(num_tries==5) log_admin("ERROR TRYING TO CLEAR erro_dialog") + qdel(query_truncate) else to_world_log("Feedback database connection failed.") //CHOMPEdit End diff --git a/code/modules/admin/DB ban/functions.dm b/code/modules/admin/DB ban/functions.dm index 78efe306c8..3dbfd191d3 100644 --- a/code/modules/admin/DB ban/functions.dm +++ b/code/modules/admin/DB ban/functions.dm @@ -44,11 +44,12 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration = computerid = bancid ip = banip - var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = '[ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = :t_ckey", list("t_ckey",ckey)) //CHOMPEdit TGSQL query.Execute() var/validckey = 0 if(query.NextRow()) validckey = 1 + qdel(query) //CHOMPEdit TGSQL if(!validckey) if(!banned_mob || (banned_mob && !IsGuestKey(banned_mob.key))) //VOREStation Edit Start. var/confirm = alert(usr, "This ckey hasn't been seen, are you sure?", "Confirm Badmin" , "Yes", "No") @@ -79,13 +80,14 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration = adminwho += ", [C]" reason = sql_sanitize_text(reason) - - var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', '[bantype_str]', '[reason]', '[job]', [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, '[ckey]', '[computerid]', '[ip]', '[a_ckey]', '[a_computerid]', '[a_ip]', '[who]', '[adminwho]', '', null, null, null, null, null)" - var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL + var/list/sqlargs = list("t_bantype" = bantype_str, "t_reason" = reason, "t_job" = job, "t_ckey" = ckey, "t_a_ckey" = a_ckey, "t_who" = who, "t_adminwho" = adminwho) //CHOMPEdit TGSQL + var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', :t_bantype, :t_reason, :t_job, [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, :t_ckey, '[computerid]', '[ip]', :t_a_ckey, '[a_computerid]', '[a_ip]', :t_who, :t_adminwho, '', null, null, null, null, null)" //CHOMPEdit TGSQL + + var/DBQuery/query_insert = SSdbcore.NewQuery(sql,sqlargs) //CHOMPEdit TGSQL query_insert.Execute() to_chat(usr, "Ban saved to database.") message_admins("[key_name_admin(usr)] has added a [bantype_str] for [ckey] [(job)?"([job])":""] [(duration > 0)?"([duration] minutes)":""] with the reason: \"[reason]\" to the ban database.",1) - + qdel(query_insert) //CHOMPEdit TGSQL datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "") @@ -119,7 +121,7 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "") else bantype_sql = "bantype = '[bantype_str]'" - var/sql = "SELECT id FROM erro_ban WHERE ckey = '[ckey]' AND [bantype_sql] AND (unbanned is null OR unbanned = false)" + var/sql = "SELECT id FROM erro_ban WHERE ckey = :t_ckey AND [bantype_sql] AND (unbanned is null OR unbanned = false)" //CHOMPEdit TGSQL if(job) sql += " AND job = '[job]'" @@ -130,12 +132,12 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "") var/ban_id var/ban_number = 0 //failsafe - var/DBQuery/query = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery(sql, list("t_ckey" = ckey)) //CHOMPEdit TGSQL query.Execute() while(query.NextRow()) ban_id = query.item[1] ban_number++; - + qdel(query) //CHOMPEdit TGSQL if(ban_number == 0) to_chat(usr, "Database update failed due to no bans fitting the search criteria. If this is not a legacy ban you should contact the database admin.") return @@ -175,7 +177,7 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null) else to_chat(usr, "Invalid ban id. Contact the database admin") return - + qdel(query) //CHOMPEdit TGSQL reason = sql_sanitize_text(reason) var/value @@ -187,20 +189,22 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null) if(!value) to_chat(usr, "Cancelled") return - - var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,'- [eckey] changed ban reason from \\\"[reason]\\\" to \\\"[value]\\\"
') WHERE id = [banid]") //CHOMPEdit TGSQL + var/list/sqlargs = list("t_reason" = value, "t_edits" = "- [eckey] changed ban reason from \\\"[reason]\\\" to \\\"[value]\\\"
") //CHOMPEdit TGSQL + var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,:t_edits) WHERE id = [banid]", sqlargs) //CHOMPEdit TGSQL update_query.Execute() message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s reason from [reason] to [value]",1) + qdel(update_query) //CHOMPEdit TGSQL if("duration") if(!value) value = input("Insert the new duration (in minutes) for [pckey]'s ban", "New Duration", "[duration]", null) as null|num if(!isnum(value) || !value) to_chat(usr, "Cancelled") return - - var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,'- [eckey] changed ban duration from [duration] to [value]
'), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]") //CHOMPEdit TGSQL + var/list/sqlargs = list("t_edits" = "- [eckey] changed ban duration from [duration] to [value]
") //CHOMPEdit TGSQL + var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,:t_edits), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]",sqlargs) //CHOMPEdit TGSQL message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s duration from [duration] to [value]",1) update_query.Execute() + qdel(update_query) //CHOMPEdit TGSQL if("unban") if(alert("Unban [pckey]?", "Unban?", "Yes", "No") == "Yes") DB_ban_unban_by_id(banid) @@ -226,7 +230,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id) while(query.NextRow()) pckey = query.item[1] ban_number++; - + qdel(query) //CHOMPEdit TGSQL if(ban_number == 0) to_chat(usr, "Database update failed due to a ban id not being present in the database.") return @@ -241,13 +245,13 @@ datum/admins/proc/DB_ban_unban_by_id(var/id) var/unban_ckey = src.owner:ckey var/unban_computerid = src.owner:computer_id var/unban_ip = src.owner:address - - var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = '[unban_ckey]', unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]" + var/list/sqlargs = list("t_ckey" = unban_ckey) //CHOMPEdit TGSQL + var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = :t_ckey, unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]" //CHOMPEdit TGSQL message_admins("[key_name_admin(usr)] has lifted [pckey]'s ban.",1) - var/DBQuery/query_update = SSdbcore.NewQuery(sql_update) //CHOMPEdit TGSQL + var/DBQuery/query_update = SSdbcore.NewQuery(sql_update,sqlargs) //CHOMPEdit TGSQL query_update.Execute() - + qdel(query_update) //CHOMPEdit TGSQL /client/proc/DB_ban_panel() set category = "Admin" @@ -363,21 +367,26 @@ datum/admins/proc/DB_ban_unban_by_id(var/id) var/ipsearch = "" var/cidsearch = "" var/bantypesearch = "" - + //CHOMPEdit Begin + var/list/sqlargs = list() if(!match) if(adminckey) - adminsearch = "AND a_ckey = '[adminckey]' " + adminsearch = "AND a_ckey = :t_adminckey " + sqlargs["t_adminckey"] = adminckey if(playerckey) - playersearch = "AND ckey = '[playerckey]' " + playersearch = "AND ckey = :t_playerckey " + sqlargs["t_playerckey"] = playerckey //CHOMPEdit End if(playerip) ipsearch = "AND ip = '[playerip]' " if(playercid) cidsearch = "AND computerid = '[playercid]' " else - if(adminckey && length(adminckey) >= 3) - adminsearch = "AND a_ckey LIKE '[adminckey]%' " + if(adminckey && length(adminckey) >= 3) //CHOMPEdit Begin + adminsearch = "AND a_ckey LIKE CONCAT(:t_adminckey,'%') " + sqlargs["t_adminckey"] = adminckey if(playerckey && length(playerckey) >= 3) - playersearch = "AND ckey LIKE '[playerckey]%' " + playersearch = "AND ckey LIKE CONCAT(:t_playerckey,'%') " + sqlargs["t_playerckey"] = playerckey //CHOMPEdit End if(playerip && length(playerip) >= 3) ipsearch = "AND ip LIKE '[playerip]%' " if(playercid && length(playercid) >= 7) @@ -396,7 +405,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id) else bantypesearch += "'PERMABAN' " - var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100") //CHOMPEdit TGSQL + var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100", sqlargs) //CHOMPEdit TGSQL select_query.Execute() var/now = time2text(world.realtime, "YYYY-MM-DD hh:mm:ss") // MUST BE the same format as SQL gives us the dates in, and MUST be least to most specific (i.e. year, month, day not day, month, year) @@ -475,5 +484,6 @@ datum/admins/proc/DB_ban_unban_by_id(var/id) output += "" output += "" + qdel(select_query) //CHOMPEdit TGSQL usr << browse(output,"window=lookupbans;size=900x700") diff --git a/code/modules/admin/IsBanned.dm b/code/modules/admin/IsBanned.dm index e90eacacfa..56a6e71114 100644 --- a/code/modules/admin/IsBanned.dm +++ b/code/modules/admin/IsBanned.dm @@ -52,7 +52,7 @@ world/IsBanned(key,address,computer_id) failedcid = 0 cidquery = " OR computerid = '[computer_id]' " - var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = '[ckeytext]' [ipquery] [cidquery]) AND (bantype = 'PERMABAN' OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = :t_ckey [ipquery] [cidquery]) AND (bantype = 'PERMABAN' OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)", list("t_ckey" = ckeytext)) //CHOMPEdit TGSQL query.Execute() @@ -72,9 +72,9 @@ world/IsBanned(key,address,computer_id) expires = " The ban is for [duration] minutes and expires on [expiration] (server time)." var/desc = "\nReason: You, or another user of this computer or connection ([pckey]) is banned from playing here. The ban reason is:\n[reason]\nThis ban was applied by [ackey] on [bantime], [expires]" - + qdel(query) //CHOMPEdit TGSQL return list("reason"="[bantype]", "desc"="[desc]") - + qdel(query) //CHOMPEdit TGSQL if (failedcid) message_admins("[key] has logged in with a blank computer id in the ban check.") if (failedip) diff --git a/code/modules/admin/admin_ranks.dm b/code/modules/admin/admin_ranks.dm index b223c7e6d5..c5cfdc06c2 100644 --- a/code/modules/admin/admin_ranks.dm +++ b/code/modules/admin/admin_ranks.dm @@ -135,6 +135,7 @@ var/list/admin_ranks = list() //list of all ranks with associated rights //find the client for a ckey if they are connected and associate them with the new admin datum D.associate(GLOB.directory[ckey]) + qdel(query) //CHOMPEdit TGSQL if(!admin_datums) error("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.") log_misc("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.") diff --git a/code/modules/admin/admin_tools.dm b/code/modules/admin/admin_tools.dm index c8160873de..6f9e964163 100644 --- a/code/modules/admin/admin_tools.dm +++ b/code/modules/admin/admin_tools.dm @@ -45,7 +45,7 @@ //CHOMPEdit Begin /*for(var/d in M.dialogue_log) dat += "[d]
"*/ - var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = '[M.ckey]'") + var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = :t_ckey", list("t_ckey" = M.ckey)) if(!query.Execute()) dat += "Database query error" else @@ -59,6 +59,7 @@ dat += "
" dat += messages dat += "
" + qdel(query) //CHOMPEdit End var/datum/browser/popup = new(usr, "admin_dialogue_log", "[src]", 650, 650, src) popup.set_content(jointext(dat,null)) diff --git a/code/modules/admin/banjob.dm b/code/modules/admin/banjob.dm index 2bfe3f1654..e742222402 100644 --- a/code/modules/admin/banjob.dm +++ b/code/modules/admin/banjob.dm @@ -85,7 +85,7 @@ DEBUG var/job = query.item[2] jobban_keylist.Add("[ckey] - [job]") - + qdel(query) //CHOMPEdit TGSQL //Job tempbans var/DBQuery/query1 = SSdbcore.NewQuery("SELECT ckey, job FROM erro_ban WHERE bantype = 'JOB_TEMPBAN' AND isnull(unbanned) AND expiration_time > Now()") //CHOMPEdit TGSQL query1.Execute() @@ -95,6 +95,7 @@ DEBUG var/job = query1.item[2] jobban_keylist.Add("[ckey] - [job]") + qdel(query1) //CHOMPEdit TGSQL /proc/jobban_savebanfile() var/savefile/S=new("data/job_full.ban") diff --git a/code/modules/admin/permissionverbs/permissionedit.dm b/code/modules/admin/permissionverbs/permissionedit.dm index 178587133f..549f537d67 100644 --- a/code/modules/admin/permissionverbs/permissionedit.dm +++ b/code/modules/admin/permissionverbs/permissionedit.dm @@ -79,19 +79,23 @@ while(select_query.NextRow()) new_admin = 0 admin_id = text2num(select_query.item[1]) - + qdel(select_query) //CHOMPEdit TGSQL if(new_admin) var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO `erro_admin` (`id`, `ckey`, `rank`, `level`, `flags`) VALUES (null, '[adm_ckey]', '[new_rank]', -1, 0)") //CHOMPEdit TGSQL insert_query.Execute() + qdel(insert_query) //CHOMPEdit TGSQL var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added new admin [adm_ckey] to rank [new_rank]');") //CHOMPEdit TGSQL log_query.Execute() + qdel(log_query) //CHOMPEdit TGSQL to_chat(usr, "New admin added.") else if(!isnull(admin_id) && isnum(admin_id)) var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET rank = '[new_rank]' WHERE id = [admin_id]") //CHOMPEdit TGSQL insert_query.Execute() + qdel(insert_query) //CHOMPEdit TGSQL var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Edited the rank of [adm_ckey] to [new_rank]');") //CHOMPEdit TGSQL log_query.Execute() + qdel(log_query) //CHOMPEdit TGSQL to_chat(usr, "Admin rank changed.") /datum/admins/proc/log_admin_permission_modification(var/adm_ckey, var/new_permission) @@ -131,19 +135,23 @@ while(select_query.NextRow()) admin_id = text2num(select_query.item[1]) admin_rights = text2num(select_query.item[2]) - + qdel(select_query) //CHOMPEdit TGSQL if(!admin_id) return if(admin_rights & new_permission) //This admin already has this permission, so we are removing it. var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = [admin_rights & ~new_permission] WHERE id = [admin_id]") //CHOMPEdit TGSQL insert_query.Execute() + qdel(insert_query) //CHOMPEdit TGSQL var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Removed permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]');") //CHOMPEdit TGSQL log_query.Execute() + qdel(log_query) //CHOMPEdit TGSQL to_chat(usr, "Permission removed.") else //This admin doesn't have this permission, so we are adding it. var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = '[admin_rights | new_permission]' WHERE id = [admin_id]") //CHOMPEdit TGSQL insert_query.Execute() + qdel(insert_query) //CHOMPEdit TGSQL var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]')") //CHOMPEdit TGSQL log_query.Execute() + qdel(log_query) //CHOMPEdit TGSQL to_chat(usr, "Permission added.") \ No newline at end of file diff --git a/code/modules/admin/verbs/check_customitem_activity.dm b/code/modules/admin/verbs/check_customitem_activity.dm index ec4f66b0f4..eb1879e656 100644 --- a/code/modules/admin/verbs/check_customitem_activity.dm +++ b/code/modules/admin/verbs/check_customitem_activity.dm @@ -63,15 +63,16 @@ var/inactive_keys = "None
" if(ckeys_with_customitems.Find(cur_ckey)) ckeys_with_customitems.Remove(cur_ckey) inactive_ckeys[cur_ckey] = "last seen on [query_inactive.item[2]]" + qdel(query_inactive) //CHOMPEdit TGSQL //if there are ckeys left over, check whether they have a database entry at all if(ckeys_with_customitems.len) for(var/cur_ckey in ckeys_with_customitems) - var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = '[cur_ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = cur_ckey)) //CHOMPEdit TGSQL query_inactive.Execute() if(!query_inactive.RowCount()) inactive_ckeys += cur_ckey - + qdel(query_inactive) //CHOMPEdit TGSQL if(inactive_ckeys.len) inactive_keys = "" for(var/cur_key in inactive_ckeys) diff --git a/code/modules/client/client procs.dm b/code/modules/client/client procs.dm index ca8151e833..7db4d9393a 100644 --- a/code/modules/client/client procs.dm +++ b/code/modules/client/client procs.dm @@ -95,16 +95,18 @@ var/sql_discord = sql_sanitize_text(their_id) var/sql_ckey = sql_sanitize_text(ckey) - var/DBQuery/query = SSdbcore.NewQuery("UPDATE erro_player SET discord_id = '[sql_discord]' WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("UPDATE erro_player SET discord_id = :t_discord_id WHERE ckey = :t_ckey", list("t_discord_id" = sql_discord, "t_ckey" = sql_ckey)) //CHOMPEdit TGSQL if(query.Execute()) to_chat(src, "Registration complete! Thank you for taking the time to register your Discord ID.") log_and_message_admins("[ckey] has registered their Discord ID. Their Discord snowflake ID is: [their_id]") //YW EDIT admin_chat_message(message = "[ckey] has registered their Discord ID. Their Discord is: <@[their_id]>", color = "#4eff22") //YW EDIT notes_add(ckey, "Discord ID: [their_id]") world.VgsAddMemberRole(their_id) + qdel(query) //CHOMPEdit TGSQL else to_chat(src, "There was an error registering your Discord ID in the database. Contact an administrator.") log_and_message_admins("[ckey] failed to register their Discord ID. Their Discord snowflake ID is: [their_id]. Is the database connected?") + qdel(query) //CHOMPEdit TGSQL return //VOREStation Add End @@ -279,13 +281,17 @@ var/sql_ckey = sql_sanitize_text(ckey(key)) - var/DBQuery/query = SSdbcore.NewQuery("SELECT datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL query.Execute() - + //CHOMPEdit Begin if(query.NextRow()) - return text2num(query.item[1]) + var/outp = text2num(query.item[1]) + qdel(query) + return outp else + qdel(query) return -1 + //CHOMPEdit End /client/proc/log_client_to_db() @@ -299,7 +305,7 @@ var/sql_ckey = sql_sanitize_text(src.ckey) - var/DBQuery/query = SSdbcore.NewQuery("SELECT id, datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT id, datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL query.Execute() var/sql_id = 0 player_age = 0 // New players won't have an entry so knowing we have a connection we set this to zero to be updated if their is a record. @@ -307,12 +313,13 @@ sql_id = query.item[1] player_age = text2num(query.item[2]) break - + qdel(query) //CHOMPEdit TGSQL account_join_date = sanitizeSQL(findJoinDate()) if(account_join_date && SSdbcore.IsConnected()) //CHOMPEdit TGSQL var/DBQuery/query_datediff = SSdbcore.NewQuery("SELECT DATEDIFF(Now(),'[account_join_date]')") //CHOMPEdit TGSQL if(query_datediff.Execute() && query_datediff.NextRow()) account_age = text2num(query_datediff.item[1]) + qdel(query_datediff) //CHOMPEdit TGSQL var/DBQuery/query_ip = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ip = '[address]'") //CHOMPEdit TGSQL query_ip.Execute() @@ -320,14 +327,14 @@ while(query_ip.NextRow()) related_accounts_ip += "[query_ip.item[1]], " break - + qdel(query_ip) //CHOMPEdit TGSQL var/DBQuery/query_cid = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE computerid = '[computer_id]'") //CHOMPEdit TGSQL query_cid.Execute() related_accounts_cid = "" while(query_cid.NextRow()) related_accounts_cid += "[query_cid.item[1]], " break - + qdel(query_cid) //CHOMPEdit TGSQL //Just the standard check to see if it's actually a number if(sql_id) if(istext(sql_id)) @@ -376,7 +383,7 @@ log_admin("Couldn't perform IP check on [key] with [address]") // VOREStation Edit Start - Department Hours - var/DBQuery/query_hours = SSdbcore.NewQuery("SELECT department, hours, total_hours FROM vr_player_hours WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query_hours = SSdbcore.NewQuery("SELECT department, hours, total_hours FROM vr_player_hours WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL if(query_hours.Execute()) while(query_hours.NextRow()) department_hours[query_hours.item[1]] = text2num(query_hours.item[2]) @@ -387,20 +394,23 @@ spawn(0) alert(src, "The query to load your existing playtime failed. Screenshot this, give the screenshot to a developer, and reconnect, otherwise you may lose any recorded play hours (which may limit access to jobs). ERROR: [error_message]", "PROBLEMS!!") // VOREStation Edit End - Department Hours - + qdel(query_hours) //CHOMPEdit TGSQL if(sql_id) //Player already identified previously, we need to just update the 'lastseen', 'ip' and 'computer_id' variables var/DBQuery/query_update = SSdbcore.NewQuery("UPDATE erro_player SET lastseen = Now(), ip = '[sql_ip]', computerid = '[sql_computerid]', lastadminrank = '[sql_admin_rank]' WHERE id = [sql_id]") //CHOMPEdit TGSQL query_update.Execute() + qdel(query_update) //CHOMPEdit TGSQL else //New player!! Need to insert all the stuff - var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_player (id, ckey, firstseen, lastseen, ip, computerid, lastadminrank) VALUES (null, '[sql_ckey]', Now(), Now(), '[sql_ip]', '[sql_computerid]', '[sql_admin_rank]')") //CHOMPEdit TGSQL + var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_player (id, ckey, firstseen, lastseen, ip, computerid, lastadminrank) VALUES (null, :t_ckey, Now(), Now(), '[sql_ip]', '[sql_computerid]', '[sql_admin_rank]')", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL query_insert.Execute() + qdel(query_insert) //CHOMPEdit TGSQL //Logging player access var/serverip = "[world.internet_address]:[world.port]" - var/DBQuery/query_accesslog = SSdbcore.NewQuery("INSERT INTO `erro_connection_log`(`id`,`datetime`,`serverip`,`ckey`,`ip`,`computerid`) VALUES(null,Now(),'[serverip]','[sql_ckey]','[sql_ip]','[sql_computerid]');") //CHOMPEdit TGSQL + var/DBQuery/query_accesslog = SSdbcore.NewQuery("INSERT INTO `erro_connection_log`(`id`,`datetime`,`serverip`,`ckey`,`ip`,`computerid`) VALUES(null,Now(),'[serverip]',:t_ckey,'[sql_ip]','[sql_computerid]');", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL query_accesslog.Execute() + qdel(query_accesslog) //CHOMPEdit TGSQL #undef TOPIC_SPAM_DELAY #undef UPLOAD_LIMIT diff --git a/code/modules/library/lib_machines.dm b/code/modules/library/lib_machines.dm index 45108b4d89..bd6fe27a94 100644 --- a/code/modules/library/lib_machines.dm +++ b/code/modules/library/lib_machines.dm @@ -31,6 +31,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f var/category = "Any" var/author var/SQLquery + var/list/SQLargs //CHOMPEdit TGSQL /obj/machinery/librarypubliccomp/attack_hand(var/mob/user as mob) usr.set_machine(src) @@ -52,7 +53,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f dat += {""} - var/DBQuery/query = SSdbcore.NewQuery(SQLquery) //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery(SQLquery, SQLargs) //CHOMPEdit TGSQL query.Execute() while(query.NextRow()) @@ -61,6 +62,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f var/category = query.item[3] var/id = query.item[4] dat += "" + qdel(query) dat += "
AUTHORTITLECATEGORYSS13BN
[author][title][category][id]

" dat += "\[Go Back\]
" user << browse(dat, "window=publiclibrary") @@ -95,10 +97,16 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f author = sanitizeSQL(author) if(href_list["search"]) SQLquery = "SELECT author, title, category, id FROM library WHERE " + SQLargs = list() //CHOMPEdit begin if(category == "Any") - SQLquery += "author LIKE '%[author]%' AND title LIKE '%[title]%'" + SQLquery += "author LIKE '%:t_author%' AND title LIKE '%:t_title%'" + SQLargs["t_author"] = author + SQLargs["t_title"] = title else - SQLquery += "author LIKE '%[author]%' AND title LIKE '%[title]%' AND category='[category]'" + SQLquery += "author LIKE CONCAT('%',:t_author,'%') AND title LIKE CONCAT('%',:t_title,'%') AND category=:t_category" + SQLargs["t_author"] = author + SQLargs["t_title"] = title + SQLargs["t_category"] = category //CHOMPEdit End screenstate = 1 if(href_list["back"]) @@ -283,7 +291,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f dat += {"(Order book by SS13BN)

" + qdel(query) //CHOMPEdit TGSQL dat += "
TITLE\[Order\]
" dat += "
(Return to main menu)
" @@ -411,16 +420,18 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f var/sqlcontent = dbcon.Quote(scanner.cache.dat) var/sqlcategory = dbcon.Quote(upload_category) */ - var/sqltitle = sanitizeSQL(scanner.cache.name) + var/list/sql_args = list("t_title" = scanner.cache.name, "t_author" = scanner.cache.author, "t_content" = scanner.cache.dat, "t_category" = upload_category) //CHOMPEdit TGSQL + /*var/sqltitle = sanitizeSQL(scanner.cache.name) CHOMPEdit TGSQL var/sqlauthor = sanitizeSQL(scanner.cache.author) var/sqlcontent = sanitizeSQL(scanner.cache.dat) - var/sqlcategory = sanitizeSQL(upload_category) - var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO library (author, title, content, category) VALUES ('[sqlauthor]', '[sqltitle]', '[sqlcontent]', '[sqlcategory]')") //CHOMPEdit TGSQL + var/sqlcategory = sanitizeSQL(upload_category)*/ + var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO library (author, title, content, category) VALUES (:t_author, :t_title, :t_content, :t_category)", sql_args) //CHOMPEdit TGSQL if(!query.Execute()) to_chat(usr,query.ErrorMsg()) else log_game("[usr.name]/[usr.key] has uploaded the book titled [scanner.cache.name], [length(scanner.cache.dat)] signs") alert("Upload Complete.") + qdel(query) //CHOMPEdit TGSQL //VOREStation Edit End if(href_list["targetid"]) @@ -451,6 +462,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f B.item_state = B.icon_state src.visible_message("[src]'s printer hums as it produces a completely bound book. How did it do that?") break + qdel(query) //CHOMPEdit TGSQL if(href_list["orderbyid"]) var/orderid = input("Enter your order:") as num|null if(orderid) diff --git a/code/modules/mob/new_player/new_player.dm b/code/modules/mob/new_player/new_player.dm index de42f04e51..7fa2f23b6f 100644 --- a/code/modules/mob/new_player/new_player.dm +++ b/code/modules/mob/new_player/new_player.dm @@ -50,13 +50,13 @@ var/isadmin = 0 if(src.client && src.client.holder) isadmin = 1 - var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_poll_question WHERE [(isadmin ? "" : "adminonly = false AND")] Now() BETWEEN starttime AND endtime AND id NOT IN (SELECT pollid FROM erro_poll_vote WHERE ckey = \"[ckey]\") AND id NOT IN (SELECT pollid FROM erro_poll_textreply WHERE ckey = \"[ckey]\")") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_poll_question WHERE [(isadmin ? "" : "adminonly = false AND")] Now() BETWEEN starttime AND endtime AND id NOT IN (SELECT pollid FROM erro_poll_vote WHERE ckey = :t_ckey) AND id NOT IN (SELECT pollid FROM erro_poll_textreply WHERE ckey = :t_ckey)",list("t_ckey" = ckey)) //CHOMPEdit TGSQL query.Execute() var/newpoll = 0 while(query.NextRow()) newpoll = 1 break - + qdel(query) //CHOMPEdit TGSQL if(newpoll) output += "

Show Player Polls (NEW!)

" else @@ -221,12 +221,12 @@ var/voted = 0 //First check if the person has not voted yet. - var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey='[src.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey=:t_ckey", list("t_ckey" = src.ckey)) //CHOMPEdit TGSQL query.Execute() while(query.NextRow()) voted = 1 break - + qdel(query) //CHOMPEdit TGSQL //This is a safety switch, so only valid options pass through var/option = "UNKNOWN" switch(href_list["privacy_poll"]) @@ -246,10 +246,12 @@ return if(!voted) - var/sql = "INSERT INTO erro_privacy VALUES (null, Now(), '[src.ckey]', '[option]')" - var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL + var/list/sqlargs = list("t_ckey" = src.ckey, "t_option" = "[option]") //CHOMPEdit TGSQL + var/sql = "INSERT INTO erro_privacy VALUES (null, Now(), :t_ckey, :t_option)" //CHOMPEdit TGSQL + var/DBQuery/query_insert = SSdbcore.NewQuery(sql,sqlargs) //CHOMPEdit TGSQL query_insert.Execute() to_chat(usr, "Thank you for your vote!") + qdel(query_insert) usr << browse(null,"window=privacypoll") if(!ready && href_list["preference"]) diff --git a/code/modules/mob/new_player/poll.dm b/code/modules/mob/new_player/poll.dm index a245925939..41417a63e2 100644 --- a/code/modules/mob/new_player/poll.dm +++ b/code/modules/mob/new_player/poll.dm @@ -5,12 +5,12 @@ return var/voted = 0 - var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey='[src.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey=:t_ckey", list("t_ckey" = src.ckey)) //CHOMPEdit TGSQL query.Execute() while(query.NextRow()) voted = 1 break - + qdel(query) //CHOMPEdit TGSQL if(!voted) privacy_poll() @@ -72,7 +72,7 @@ pollquestion = select_query.item[2] output += "[pollquestion]" i++ - + qdel(select_query) //CHOMPEdit TGSQL output += "" src << browse(output,"window=playerpolllist;size=500x300") @@ -101,7 +101,7 @@ polltype = select_query.item[4] found = 1 break - + qdel(select_query) //CHOMPEdit TGSQL if(!found) to_chat(usr, "Poll question details not found.") return @@ -109,7 +109,7 @@ switch(polltype) //Polls that have enumerated options if("OPTION") - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() var/voted = 0 @@ -118,7 +118,7 @@ votedoptionid = text2num(voted_query.item[1]) voted = 1 break - + qdel(voted_query) //CHOMPEdit TGSQL var/list/datum/polloption/options = list() var/DBQuery/options_query = SSdbcore.NewQuery("SELECT id, text FROM erro_poll_option WHERE pollid = [pollid]") //CHOMPEdit TGSQL @@ -128,7 +128,7 @@ PO.optionid = text2num(options_query.item[1]) PO.optiontext = options_query.item[2] options += PO - + qdel(options_query) //CHOMPEdit TGSQL var/output = "
Player poll" output +="
" output += "Question: [pollquestion]
" @@ -162,7 +162,7 @@ //Polls with a text input if("TEXT") - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT replytext FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT replytext FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() var/voted = 0 @@ -171,7 +171,7 @@ vote_text = voted_query.item[1] voted = 1 break - + qdel(voted_query) //CHOMPEdit TGSQL var/output = "
Player poll" output +="
" @@ -204,7 +204,7 @@ //Polls with a text input if("NUMVAL") - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT o.text, v.rating FROM erro_poll_option o, erro_poll_vote v WHERE o.pollid = [pollid] AND v.ckey = '[usr.ckey]' AND o.id = v.optionid") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT o.text, v.rating FROM erro_poll_option o, erro_poll_vote v WHERE o.pollid = [pollid] AND v.ckey = :t_ckey AND o.id = v.optionid", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() var/output = "
Player poll" @@ -220,7 +220,7 @@ var/rating = voted_query.item[2] output += "
[optiontext] - [rating]" - + qdel(voted_query) //CHOMPEdit TGSQL if(!voted) //Only make this a form if we have not voted yet output += "
" output += "" @@ -264,7 +264,7 @@ output += "" output += "" - + qdel(option_query) //CHOMPEdit TGSQL output += "" output += "" @@ -273,7 +273,7 @@ src << browse(output,"window=playerpoll;size=500x500") if("MULTICHOICE") - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() var/list/votedfor = list() @@ -281,7 +281,7 @@ while(voted_query.NextRow()) votedfor.Add(text2num(voted_query.item[1])) voted = 1 - + qdel(voted_query) //CHOMPEdit TGSQL var/list/datum/polloption/options = list() var/maxoptionid = 0 var/minoptionid = 0 @@ -297,7 +297,7 @@ if(PO.optionid < minoptionid || !minoptionid) minoptionid = PO.optionid options += PO - + qdel(options_query) //CHOMPEdit TGSQL if(select_query.item[5]) multiplechoiceoptions = text2num(select_query.item[5]) @@ -358,7 +358,7 @@ if(select_query.item[5]) multiplechoiceoptions = text2num(select_query.item[5]) break - + qdel(select_query) //CHOMPEdit TGSQL if(!validpoll) to_chat(usr, "Poll is not valid.") return @@ -378,14 +378,14 @@ var/alreadyvoted = 0 - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() while(voted_query.NextRow()) alreadyvoted += 1 if(!multichoice) break - + qdel(voted_query) //CHOMPEdit TGSQL if(!multichoice && alreadyvoted) to_chat(usr, "You already voted in this poll.") return @@ -399,10 +399,11 @@ adminrank = usr.client.holder.rank - var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]')") //CHOMPEdit TGSQL + var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank) VALUES (null, Now(), [pollid], [optionid], :t_ckey, '[usr.client.address]', '[adminrank]')", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL insert_query.Execute() to_chat(usr, "Vote successful.") + qdel(insert_query) //CHOMPEdit TGSQL usr << browse(null,"window=playerpoll") @@ -425,20 +426,20 @@ return validpoll = 1 break - + qdel(select_query) //CHOMPEdit TGSQL if(!validpoll) to_chat(usr, "Poll is not valid.") return var/alreadyvoted = 0 - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() while(voted_query.NextRow()) alreadyvoted = 1 break - + qdel(voted_query) //CHOMPEdit TGSQL if(alreadyvoted) to_chat(usr, "You already sent your feedback for this poll.") return @@ -457,10 +458,11 @@ to_chat(usr, "The text you entered was blank, contained illegal characters or was too long. Please correct the text and submit again.") return - var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_textreply (id ,datetime ,pollid ,ckey ,ip ,replytext ,adminrank) VALUES (null, Now(), [pollid], '[usr.ckey]', '[usr.client.address]', '[replytext]', '[adminrank]')") //CHOMPEdit TGSQL + var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_textreply (id ,datetime ,pollid ,ckey ,ip ,replytext ,adminrank) VALUES (null, Now(), [pollid], :t_ckey, '[usr.client.address]', :t_reply, '[adminrank]')", list("t_ckey" = usr.ckey, "t_reply" = replytext)) //CHOMPEdit TGSQL insert_query.Execute() to_chat(usr, "Feedback logging successful.") + qdel(insert_query) //CHOMPEdit TGSQL usr << browse(null,"window=playerpoll") @@ -483,7 +485,7 @@ return validpoll = 1 break - + qdel(select_query) //CHOMPEdit TGSQL if(!validpoll) to_chat(usr, "Poll is not valid.") return @@ -496,20 +498,20 @@ while(select_query2.NextRow()) validoption = 1 break - + qdel(select_query2) //CHOMPEdit TGSQL if(!validoption) to_chat(usr, "Poll option is not valid.") return var/alreadyvoted = 0 - var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE optionid = [optionid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL + var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE optionid = [optionid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL voted_query.Execute() while(voted_query.NextRow()) alreadyvoted = 1 break - + qdel(voted_query) //CHOMPEdit TGSQL if(alreadyvoted) to_chat(usr, "You already voted in this poll.") return @@ -519,8 +521,9 @@ adminrank = usr.client.holder.rank - var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank, rating) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]', [(isnull(rating)) ? "null" : rating])") //CHOMPEdit TGSQL + var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank, rating) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]', :t_rating)", list("t_ckey" = usr.ckey, "t_rating" = rating)) //CHOMPEdit TGSQL insert_query.Execute() to_chat(usr, "Vote successful.") + qdel(insert_query) //CHOMPEdit TGSQL usr << browse(null,"window=playerpoll") \ No newline at end of file diff --git a/code/modules/research/message_server.dm b/code/modules/research/message_server.dm index 4f72f92516..2dcb5ef771 100644 --- a/code/modules/research/message_server.dm +++ b/code/modules/research/message_server.dm @@ -353,17 +353,19 @@ var/obj/machinery/blackbox_recorder/blackbox query.Execute() while(query.NextRow()) round_id = query.item[1] - + qdel(query) //CHOMPEdit TGSQL if(!isnum(round_id)) round_id = text2num(round_id) round_id++ for(var/datum/feedback_variable/FV in feedback) - var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), [round_id], \"[FV.get_variable()]\", [FV.get_value()], \"[FV.get_details()]\")" - var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL + var/list/sqlargs = list("t_roundid" = round_id, "t_variable" = "[FV.get_variable()]", "t_value" = "[FV.get_value()]", "t_details" = "[FV.get_details()]") //CHOMPEdit TGSQL + var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), :t_roundid, :t_variable, :t_value, :t_details)" //CHOMPEdit TGSQL + var/DBQuery/query_insert = SSdbcore.NewQuery(sql, sqlargs) //CHOMPEdit TGSQL query_insert.Execute() + qdel(query_insert) //CHOMPEdit TGSQL -// Sanitize inputs to avoid SQL injection attacks +// Sanitize inputs to avoid SQL injection attacks //CHOMPEdit NOTE: This is not secure. Basic filters like this are pretty easy to bypass. Use the format for arguments used in the above. proc/sql_sanitize_text(var/text) text = replacetext(text, "'", "''") text = replacetext(text, ";", "") diff --git a/code/modules/tgs/v5/chat_commands.dm b/code/modules/tgs/v5/chat_commands.dm index ae8819519d..7c93526178 100644 --- a/code/modules/tgs/v5/chat_commands.dm +++ b/code/modules/tgs/v5/chat_commands.dm @@ -71,12 +71,13 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations) /datum/tgs_chat_command/register/Run(datum/tgs_chat_user/sender, params) // Try to find if that ID is registered to someone already - var/sql_discord = sql_sanitize_text(sender.id) - var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = '[sql_discord]'") //CHOMPEdit TGSQL + //var/sql_discord = sql_sanitize_text(sender.id) //CHOMPEdit TGSQL + var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = :t_discord", list("t_discord"=sender.id)) //CHOMPEdit TGSQL query.Execute() if(query.NextRow()) + qdel(query) //CHOMPEdit TGSQL return "[sender.friendly_name], your Discord ID is already registered to a Byond username. Please contact an administrator if you changed your Byond username or Discord ID." - + qdel(query) //CHOMPEdit TGSQL var/key_to_find = "[ckey(params)]" // They didn't provide anything worth looking up. @@ -94,18 +95,20 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations) if(!user) return "[sender.friendly_name], I couldn't find a logged-in user with the username of '[key_to_find]', which is what you provided after conversion to Byond's ckey format. Please connect to the game server and try again." - var/sql_ckey = sql_sanitize_text(key_to_find) - query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL - query.Execute() + //var/sql_ckey = sql_sanitize_text(key_to_find) //CHOMPEdit TGSQL + var/DBQuery/query2 = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = :t_ckey",list("t_ckey" = key_to_find)) //CHOMPEdit TGSQL + query2.Execute() //CHOMPEdit TGSQL // We somehow found their client, BUT they don't exist in the database - if(!query.NextRow()) + if(!query2.NextRow()) //CHOMPEdit TGSQL + qdel(query2) //CHOMPEdit TGSQL return "[sender.friendly_name], the server's database is either not responding or there's no evidence you've ever logged in. Please contact an administrator." // We found them in the database, AND they already have a discord ID assigned - if(query.item[1]) + if(query2.item[1]) //CHOMPEdit TGSQL + qdel(query2) //CHOMPEdit TGSQL return "[sender.friendly_name], it appears you've already registered your chat and game IDs. If you've changed game or chat usernames, please contact an administrator for help." - + qdel(query2) //CHOMPEdit TGSQL // Okay. We found them, they're in the DB, and they have no discord ID set. var/message = "A request has been sent from Discord to validate your Byond username, by '[sender.friendly_name]' in '[sender.channel.friendly_name]'\
If you did not send this request, do not click the link below, and do notify an administrator in-game or on Discord ASAP.\