Implementing TGSQL security

code/modules/admin/DB ban/functions.dm

@@ -44,11 +44,12 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration =
 		computerid = bancid
 		ip = banip
 
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = '[ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = :t_ckey", list("t_ckey",ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	var/validckey = 0
 	if(query.NextRow())
 		validckey = 1
+	qdel(query) //CHOMPEdit TGSQL
 	if(!validckey)
 		if(!banned_mob || (banned_mob && !IsGuestKey(banned_mob.key))) //VOREStation Edit Start.
 			var/confirm = alert(usr, "This ckey hasn't been seen, are you sure?", "Confirm Badmin" , "Yes", "No")
@@ -79,13 +80,14 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration =
 			adminwho += ", [C]"
 
 	reason = sql_sanitize_text(reason)
-
-	var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', '[bantype_str]', '[reason]', '[job]', [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, '[ckey]', '[computerid]', '[ip]', '[a_ckey]', '[a_computerid]', '[a_ip]', '[who]', '[adminwho]', '', null, null, null, null, null)"
-	var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
+	var/list/sqlargs = list("t_bantype" = bantype_str, "t_reason" = reason, "t_job" = job, "t_ckey" = ckey, "t_a_ckey" = a_ckey, "t_who" = who, "t_adminwho" = adminwho) //CHOMPEdit TGSQL
+	var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', :t_bantype, :t_reason, :t_job, [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, :t_ckey, '[computerid]', '[ip]', :t_a_ckey, '[a_computerid]', '[a_ip]', :t_who, :t_adminwho, '', null, null, null, null, null)" //CHOMPEdit TGSQL
+	
+	var/DBQuery/query_insert = SSdbcore.NewQuery(sql,sqlargs) //CHOMPEdit TGSQL
 	query_insert.Execute()
 	to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Ban saved to database.</font></span>")
 	message_admins("[key_name_admin(usr)] has added a [bantype_str] for [ckey] [(job)?"([job])":""] [(duration > 0)?"([duration] minutes)":""] with the reason: \"[reason]\" to the ban database.",1)
-
+	qdel(query_insert) //CHOMPEdit TGSQL
 
 
 datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
@@ -119,7 +121,7 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
 	else
 		bantype_sql = "bantype = '[bantype_str]'"
 
-	var/sql = "SELECT id FROM erro_ban WHERE ckey = '[ckey]' AND [bantype_sql] AND (unbanned is null OR unbanned = false)"
+	var/sql = "SELECT id FROM erro_ban WHERE ckey = :t_ckey AND [bantype_sql] AND (unbanned is null OR unbanned = false)" //CHOMPEdit TGSQL
 	if(job)
 		sql += " AND job = '[job]'"
 
@@ -130,12 +132,12 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
 	var/ban_id
 	var/ban_number = 0 //failsafe
 
-	var/DBQuery/query = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery(sql, list("t_ckey" = ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	while(query.NextRow())
 		ban_id = query.item[1]
 		ban_number++;
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(ban_number == 0)
 		to_chat(usr, "<span class='filter_adminlog'><font color='red'>Database update failed due to no bans fitting the search criteria. If this is not a legacy ban you should contact the database admin.</font></span>")
 		return
@@ -175,7 +177,7 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null)
 	else
 		to_chat(usr, "<span class='filter_adminlog'>Invalid ban id. Contact the database admin</span>")
 		return
-
+	qdel(query) //CHOMPEdit TGSQL
 	reason = sql_sanitize_text(reason)
 	var/value
 
@@ -187,20 +189,22 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null)
 				if(!value)
 					to_chat(usr, "Cancelled")
 					return
-
-			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,'- [eckey] changed ban reason from <cite><b>\\\"[reason]\\\"</b></cite> to <cite><b>\\\"[value]\\\"</b></cite><BR>') WHERE id = [banid]") //CHOMPEdit TGSQL
+			var/list/sqlargs = list("t_reason" = value, "t_edits" = "- [eckey] changed ban reason from <cite><b>\\\"[reason]\\\"</b></cite> to <cite><b>\\\"[value]\\\"</b></cite><BR>") //CHOMPEdit TGSQL
+			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,:t_edits) WHERE id = [banid]", sqlargs) //CHOMPEdit TGSQL
 			update_query.Execute()
 			message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s reason from [reason] to [value]",1)
+			qdel(update_query) //CHOMPEdit TGSQL
 		if("duration")
 			if(!value)
 				value = input("Insert the new duration (in minutes) for [pckey]'s ban", "New Duration", "[duration]", null) as null|num
 				if(!isnum(value) || !value)
 					to_chat(usr, "Cancelled")
 					return
-
-			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,'- [eckey] changed ban duration from [duration] to [value]<br>'), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]") //CHOMPEdit TGSQL
+			var/list/sqlargs = list("t_edits" = "- [eckey] changed ban duration from [duration] to [value]<br>") //CHOMPEdit TGSQL
+			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,:t_edits), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]",sqlargs) //CHOMPEdit TGSQL
 			message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s duration from [duration] to [value]",1)
 			update_query.Execute()
+			qdel(update_query) //CHOMPEdit TGSQL
 		if("unban")
 			if(alert("Unban [pckey]?", "Unban?", "Yes", "No") == "Yes")
 				DB_ban_unban_by_id(banid)
@@ -226,7 +230,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 	while(query.NextRow())
 		pckey = query.item[1]
 		ban_number++;
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(ban_number == 0)
 		to_chat(usr, "<span class='filter_adminlog'><font color='red'>Database update failed due to a ban id not being present in the database.</font></span>")
 		return
@@ -241,13 +245,13 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 	var/unban_ckey = src.owner:ckey
 	var/unban_computerid = src.owner:computer_id
 	var/unban_ip = src.owner:address
-
-	var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = '[unban_ckey]', unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]"
+	var/list/sqlargs = list("t_ckey" = unban_ckey) //CHOMPEdit TGSQL
+	var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = :t_ckey, unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]" //CHOMPEdit TGSQL
 	message_admins("[key_name_admin(usr)] has lifted [pckey]'s ban.",1)
 
-	var/DBQuery/query_update = SSdbcore.NewQuery(sql_update) //CHOMPEdit TGSQL
+	var/DBQuery/query_update = SSdbcore.NewQuery(sql_update,sqlargs) //CHOMPEdit TGSQL
 	query_update.Execute()
-
+	qdel(query_update) //CHOMPEdit TGSQL
 
 /client/proc/DB_ban_panel()
 	set category = "Admin"
@@ -363,21 +367,26 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 			var/ipsearch = ""
 			var/cidsearch = ""
 			var/bantypesearch = ""
-
+			//CHOMPEdit Begin
+			var/list/sqlargs = list() 
 			if(!match)
 				if(adminckey)
-					adminsearch = "AND a_ckey = '[adminckey]' "
+					adminsearch = "AND a_ckey = :t_adminckey "
+					sqlargs["t_adminckey"] = adminckey
 				if(playerckey)
-					playersearch = "AND ckey = '[playerckey]' "
+					playersearch = "AND ckey = :t_playerckey "
+					sqlargs["t_playerckey"] = playerckey //CHOMPEdit End
 				if(playerip)
 					ipsearch  = "AND ip = '[playerip]' "
 				if(playercid)
 					cidsearch  = "AND computerid = '[playercid]' "
 			else
-				if(adminckey && length(adminckey) >= 3)
-					adminsearch = "AND a_ckey LIKE '[adminckey]%' "
+				if(adminckey && length(adminckey) >= 3) //CHOMPEdit Begin
+					adminsearch = "AND a_ckey LIKE CONCAT(:t_adminckey,'%') "
+					sqlargs["t_adminckey"] = adminckey
 				if(playerckey && length(playerckey) >= 3)
-					playersearch = "AND ckey LIKE '[playerckey]%' "
+					playersearch = "AND ckey LIKE CONCAT(:t_playerckey,'%') "
+					sqlargs["t_playerckey"] = playerckey //CHOMPEdit End
 				if(playerip && length(playerip) >= 3)
 					ipsearch  = "AND ip LIKE '[playerip]%' "
 				if(playercid && length(playercid) >= 7)
@@ -396,7 +405,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 					else
 						bantypesearch += "'PERMABAN' "
 
-			var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100") //CHOMPEdit TGSQL
+			var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100", sqlargs) //CHOMPEdit TGSQL
 			select_query.Execute()
 
 			var/now = time2text(world.realtime, "YYYY-MM-DD hh:mm:ss") // MUST BE the same format as SQL gives us the dates in, and MUST be least to most specific (i.e. year, month, day not day, month, year)
@@ -475,5 +484,6 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 				output += "</tr>"
 
 			output += "</table></div>"
+			qdel(select_query) //CHOMPEdit TGSQL
 
 	usr << browse(output,"window=lookupbans;size=900x700")

code/modules/admin/IsBanned.dm

@@ -52,7 +52,7 @@ world/IsBanned(key,address,computer_id)
 			failedcid = 0
 			cidquery = " OR computerid = '[computer_id]' "
 
-		var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = '[ckeytext]' [ipquery] [cidquery]) AND (bantype = 'PERMABAN'  OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = :t_ckey [ipquery] [cidquery]) AND (bantype = 'PERMABAN'  OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)", list("t_ckey" = ckeytext)) //CHOMPEdit TGSQL
 
 		query.Execute()
 
@@ -72,9 +72,9 @@ world/IsBanned(key,address,computer_id)
 				expires = " The ban is for [duration] minutes and expires on [expiration] (server time)."
 
 			var/desc = "\nReason: You, or another user of this computer or connection ([pckey]) is banned from playing here. The ban reason is:\n[reason]\nThis ban was applied by [ackey] on [bantime], [expires]"
-
+			qdel(query) //CHOMPEdit TGSQL
 			return list("reason"="[bantype]", "desc"="[desc]")
-
+		qdel(query) //CHOMPEdit TGSQL
 		if (failedcid)
 			message_admins("[key] has logged in with a blank computer id in the ban check.")
 		if (failedip)

code/modules/admin/admin_ranks.dm

@@ -135,6 +135,7 @@ var/list/admin_ranks = list()								//list of all ranks with associated rights
 
 			//find the client for a ckey if they are connected and associate them with the new admin datum
 			D.associate(GLOB.directory[ckey])
+		qdel(query) //CHOMPEdit TGSQL
 		if(!admin_datums)
 			error("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.")
 			log_misc("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.")

code/modules/admin/admin_tools.dm

@@ -45,7 +45,7 @@
 	//CHOMPEdit Begin
 	/*for(var/d in M.dialogue_log)
 		dat += "[d]<br>"*/
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = '[M.ckey]'")
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = :t_ckey", list("t_ckey" = M.ckey))
 	if(!query.Execute())
 		dat += "<i>Database query error</i>"
 	else
@@ -59,6 +59,7 @@
 			dat += "<fieldset style='border: 2px solid white; display: inline'>"
 			dat += messages
 			dat += "</fieldset>"
+	qdel(query)
 	//CHOMPEdit End
 	var/datum/browser/popup = new(usr, "admin_dialogue_log", "[src]", 650, 650, src)
 	popup.set_content(jointext(dat,null))

code/modules/admin/banjob.dm

@@ -85,7 +85,7 @@ DEBUG
 			var/job = query.item[2]
 
 			jobban_keylist.Add("[ckey] - [job]")
-
+		qdel(query) //CHOMPEdit TGSQL
 		//Job tempbans
 		var/DBQuery/query1 = SSdbcore.NewQuery("SELECT ckey, job FROM erro_ban WHERE bantype = 'JOB_TEMPBAN' AND isnull(unbanned) AND expiration_time > Now()") //CHOMPEdit TGSQL
 		query1.Execute()
@@ -95,6 +95,7 @@ DEBUG
 			var/job = query1.item[2]
 
 			jobban_keylist.Add("[ckey] - [job]")
+		qdel(query1) //CHOMPEdit TGSQL
 
 /proc/jobban_savebanfile()
 	var/savefile/S=new("data/job_full.ban")

code/modules/admin/permissionverbs/permissionedit.dm

@@ -79,19 +79,23 @@
 	while(select_query.NextRow())
 		new_admin = 0
 		admin_id = text2num(select_query.item[1])
-
+	qdel(select_query) //CHOMPEdit TGSQL
 	if(new_admin)
 		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO `erro_admin` (`id`, `ckey`, `rank`, `level`, `flags`) VALUES (null, '[adm_ckey]', '[new_rank]', -1, 0)") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added new admin [adm_ckey] to rank [new_rank]');") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>New admin added.</font></span>")
 	else
 		if(!isnull(admin_id) && isnum(admin_id))
 			var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET rank = '[new_rank]' WHERE id = [admin_id]") //CHOMPEdit TGSQL
 			insert_query.Execute()
+			qdel(insert_query) //CHOMPEdit TGSQL
 			var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Edited the rank of [adm_ckey] to [new_rank]');") //CHOMPEdit TGSQL
 			log_query.Execute()
+			qdel(log_query) //CHOMPEdit TGSQL
 			to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Admin rank changed.</font></span>")
 
 /datum/admins/proc/log_admin_permission_modification(var/adm_ckey, var/new_permission)
@@ -131,19 +135,23 @@
 	while(select_query.NextRow())
 		admin_id = text2num(select_query.item[1])
 		admin_rights = text2num(select_query.item[2])
-
+	qdel(select_query) //CHOMPEdit TGSQL
 	if(!admin_id)
 		return
 
 	if(admin_rights & new_permission) //This admin already has this permission, so we are removing it.
 		var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = [admin_rights & ~new_permission] WHERE id = [admin_id]") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Removed permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]');") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Permission removed.</font></span>")
 	else //This admin doesn't have this permission, so we are adding it.
 		var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = '[admin_rights | new_permission]' WHERE id = [admin_id]") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]')") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Permission added.</font></span>")

code/modules/admin/verbs/check_customitem_activity.dm

@@ -63,15 +63,16 @@ var/inactive_keys = "None<br>"
 			if(ckeys_with_customitems.Find(cur_ckey))
 				ckeys_with_customitems.Remove(cur_ckey)
 				inactive_ckeys[cur_ckey] = "last seen on [query_inactive.item[2]]"
+		qdel(query_inactive) //CHOMPEdit TGSQL
 
 	//if there are ckeys left over, check whether they have a database entry at all
 	if(ckeys_with_customitems.len)
 		for(var/cur_ckey in ckeys_with_customitems)
-			var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = '[cur_ckey]'") //CHOMPEdit TGSQL
+			var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = cur_ckey)) //CHOMPEdit TGSQL
 			query_inactive.Execute()
 			if(!query_inactive.RowCount())
 				inactive_ckeys += cur_ckey
-
+			qdel(query_inactive) //CHOMPEdit TGSQL
 	if(inactive_ckeys.len)
 		inactive_keys = ""
 		for(var/cur_key in inactive_ckeys)