Implementing TGSQL security

code/_helpers/logging.dm

@@ -65,7 +65,7 @@
 	if (config.log_say)
 		WRITE_LOG(diary, "SAY: [speaker.simple_info_line()]: [html_decode(text)]")
 
-	//Log the message to in-game dialogue logs, as well.
+	//Log the message to in-game dialogue logs, as well. //CHOMPEdit Begin
 	if(speaker.client)
 		//speaker.dialogue_log += "<b>([time_stamp()])</b> (<b>[speaker]/[speaker.client]</b>) <u>SAY:</u> - <span style=\"color:#32cd32\">[text]</span>"
 		if(!SSdbcore.IsConnected())
@@ -75,8 +75,12 @@
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "say", "message_content" = text))
 		if(!query_insert.Execute())
-			log_debug(query_insert.ErrorMsg())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 		//GLOB.round_text_log += "<b>([time_stamp()])</b> (<b>[speaker]/[speaker.client]</b>) <u>SAY:</u> - <span style=\"color:#32cd32\">[text]</span>"
+		//CHOMPEdit End
 
 /proc/log_ooc(text, client/user)
 	if (config.log_ooc)
@@ -87,7 +91,11 @@
 			return null
 	var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 		list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "ooc", "message_content" = text))
-	query_insert.Execute()
+	if(!query_insert.Execute())
+		log_debug("Error during logging: "+query_insert.ErrorMsg())
+		qdel(query_insert)
+		return
+	qdel(query_insert)
 	//GLOB.round_text_log += "<b>([time_stamp()])</b> (<b>[user]</b>) <u>OOC:</u> - <span style=\"color:blue\"><b>[text]</b></span>"
 
 /proc/log_aooc(text, client/user)
@@ -99,7 +107,11 @@
 			return null
 	var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 		list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "aooc", "message_content" = text))
-	query_insert.Execute()
+	if(!query_insert.Execute())
+		log_debug("Error during logging: "+query_insert.ErrorMsg())
+		qdel(query_insert)
+		return
+	qdel(query_insert)
 	//GLOB.round_text_log += "<b>([time_stamp()])</b> (<b>[user]</b>) <u>AOOC:</u> - <span style=\"color:red\"><b>[text]</b></span>"
 
 /proc/log_looc(text, client/user)
@@ -111,7 +123,11 @@
 			return null
 	var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 		list("sender_ckey" = user.ckey, "sender_mob" = user.mob.real_name, "message_type" = "looc", "message_content" = text))
-	query_insert.Execute()
+	if(!query_insert.Execute())
+		log_debug("Error during logging: "+query_insert.ErrorMsg())
+		qdel(query_insert)
+		return
+	qdel(query_insert)
 	//GLOB.round_text_log += "<b>([time_stamp()])</b> (<b>[user]</b>) <u>LOOC:</u> - <span style=\"color:orange\"><b>[text]</b></span>"
 
 /proc/log_whisper(text, mob/speaker)
@@ -127,7 +143,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "whisper", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 
 
 /proc/log_emote(text, mob/speaker)
@@ -143,7 +163,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "emote", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//CHOMPEdit End
 
 /proc/log_attack(attacker, defender, message)
@@ -173,7 +197,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "deadsay", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//speaker.dialogue_log += "<b>([time_stamp()])</b> (<b>[speaker]/[speaker.client]</b>) <u>DEADSAY:</u> - <span style=\"color:green\">[text]</span>"
 	//GLOB.round_text_log += "<font size=1><span style=\"color:#7e668c\"><b>([time_stamp()])</b> (<b>[src]/[speaker.client]</b>) <u>DEADSAY:</u> - [text]</span></font>"
 	//CHOMPEdit End
@@ -189,7 +217,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "deademote", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//CHOMPEdit End
 
 /proc/log_adminwarn(text)
@@ -207,7 +239,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "pda", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 
 	//speaker.dialogue_log += "<b>([time_stamp()])</b> (<b>[speaker]/[speaker.client]</b>) <u>MSG:</u> - <span style=\"color:[COLOR_GREEN]\">[text]</span>"
 	//GLOB.round_text_log += "<b>([time_stamp()])</b> (<b>[speaker]/[speaker.client]</b>) <u>MSG:</u> - <span style=\"color:[COLOR_GREEN]\">[text]</span>"

code/_helpers/logging_vr.dm

@@ -9,7 +9,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "nsay", "message_content" = text))
-		query_insert.ErrorMsg()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//CHOMPEdit End
 
 /proc/log_nme(text, inside, mob/speaker)
@@ -23,7 +27,11 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "nme", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//CHOMPEdit End
 
 /proc/log_subtle(text, mob/speaker)
@@ -37,5 +45,9 @@
 				return null
 		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_dialog (mid, time, ckey, mob, type, message) VALUES (null, NOW(), :sender_ckey, :sender_mob, :message_type, :message_content)", \
 			list("sender_ckey" = speaker.ckey, "sender_mob" = speaker.real_name, "message_type" = "subtle", "message_content" = text))
-		query_insert.Execute()
+		if(!query_insert.Execute())
+			log_debug("Error during logging: "+query_insert.ErrorMsg())
+			qdel(query_insert)
+			return
+		qdel(query_insert)
 	//CHOMPEdit End

code/controllers/subsystems/dbcore.dm

@@ -22,6 +22,8 @@ SUBSYSTEM_DEF(dbcore)
 	for(var/I in active_queries)
 		var/DBQuery/Q = I
 		if(world.time - Q.last_activity_time > (5 MINUTES))
+			message_admins("Found undeleted query, please check the server logs and notify coders.")
+			log_debug("Undeleted query: \"[Q.sql]\" LA: [Q.last_activity] LAT: [Q.last_activity_time]")
 			qdel(Q)
 		if(MC_TICK_CHECK)
 			return

code/controllers/subsystems/persist_vr.dm

@@ -84,10 +84,11 @@ SUBSYSTEM_DEF(persist)
 		var/sql_dpt = sql_sanitize_text(department_earning)
 		var/sql_bal = text2num("[C.department_hours[department_earning]]")
 		var/sql_total = text2num("[C.play_hours[department_earning]]")
-		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO vr_player_hours (ckey, department, hours, total_hours) VALUES ('[sql_ckey]', '[sql_dpt]', [sql_bal], [sql_total]) ON DUPLICATE KEY UPDATE hours = VALUES(hours), total_hours = VALUES(total_hours)") //CHOMPEdit TGSQL
+		var/list/sqlargs = list("t_ckey" = sql_ckey, "t_department" = sql_dpt) //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO vr_player_hours (ckey, department, hours, total_hours) VALUES (:t_ckey, :t_department, [sql_bal], [sql_total]) ON DUPLICATE KEY UPDATE hours = VALUES(hours), total_hours = VALUES(total_hours)", sqlargs) //CHOMPEdit TGSQL
 		if(!query.Execute())	//CHOMPEdit
 			log_admin(query.ErrorMsg())	//CHOMPEdit
-
+		qdel(query) //CHOMPEdit TGSQL
 		if (MC_TICK_CHECK)
 			return
 

code/defines/procs/statistics.dm

@@ -15,6 +15,7 @@ proc/sql_poll_population()
 		if(!query.Execute())
 			var/err = query.ErrorMsg()
 			log_game("SQL ERROR during population polling. Error : \[[err]\]\n")
+		qdel(query) //CHOMPEdit TGSQL
 
 proc/sql_report_round_start()
 	// TODO
@@ -53,10 +54,11 @@ proc/sql_report_death(var/mob/living/carbon/human/H)
 	if(!SSdbcore.IsConnected()) //CHOMPEdit TGSQL
 		log_game("SQL ERROR during death reporting. Failed to connect.")
 	else
-		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES (:t_name, :t_byondkey, :t_job, :t_special, :t_pod, '[sqltime]', :t_laname, :t_lakey, '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')", list("t_name" = sqlname,"t_byondkey" = sqlkey, "t_job" = sqljob, "t_special" = sqlspecial, "t_pod" = sqlpod, "t_laname" = laname, "t_lakey" = lakey)) //CHOMPEdit TGSQL
 		if(!query.Execute())
 			var/err = query.ErrorMsg()
 			log_game("SQL ERROR during death reporting. Error : \[[err]\]\n")
+		qdel(query) //CHOMPEdit TGSQL
 
 
 proc/sql_report_cyborg_death(var/mob/living/silicon/robot/H)
@@ -87,10 +89,11 @@ proc/sql_report_cyborg_death(var/mob/living/silicon/robot/H)
 	if(!SSdbcore.IsConnected()) //CHOMPEdit TGSQL
 		log_game("SQL ERROR during death reporting. Failed to connect.")
 	else
-		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss, coord) VALUES (:t_name, :t_byondkey, :t_job, :t_special, :t_pod, '[sqltime]', :t_laname, :t_lakey, '[H.gender]', [H.getBruteLoss()], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()], '[coord]')", list("t_name" = sqlname,"t_byondkey" = sqlkey, "t_job" = sqljob, "t_special" = sqlspecial, "t_pod" = sqlpod, "t_laname" = laname, "t_lakey" = lakey)) //CHOMPEdit TGSQL
 		if(!query.Execute())
 			var/err = query.ErrorMsg()
 			log_game("SQL ERROR during death reporting. Error : \[[err]\]\n")
+		qdel(query) //CHOMPEdit TGSQL
 
 
 proc/statistic_cycle()
@@ -126,7 +129,7 @@ proc/sql_commit_feedback()
 
 		while(max_query.NextRow())
 			newroundid = max_query.item[1]
-
+		qdel(max_query) //CHOMPEdit TGSQL
 		if(!(isnum(newroundid)))
 			newroundid = text2num(newroundid)
 
@@ -143,3 +146,4 @@ proc/sql_commit_feedback()
 			if(!query.Execute())
 				var/err = query.ErrorMsg()
 				log_game("SQL ERROR during death reporting. Error : \[[err]\]\n")
+			qdel(query) //CHOMPEdit TGSQL

code/game/world.dm

@@ -573,6 +573,7 @@ var/failed_old_db_connections = 0
 
 		if(num_tries==5)
 			log_admin("ERROR TRYING TO CLEAR erro_dialog")
+		qdel(query_truncate)
 	else 
 		to_world_log("Feedback database connection failed.")
 	//CHOMPEdit End

code/modules/admin/DB ban/functions.dm

@@ -44,11 +44,12 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration =
 		computerid = bancid
 		ip = banip
 
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = '[ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_player WHERE ckey = :t_ckey", list("t_ckey",ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	var/validckey = 0
 	if(query.NextRow())
 		validckey = 1
+	qdel(query) //CHOMPEdit TGSQL
 	if(!validckey)
 		if(!banned_mob || (banned_mob && !IsGuestKey(banned_mob.key))) //VOREStation Edit Start.
 			var/confirm = alert(usr, "This ckey hasn't been seen, are you sure?", "Confirm Badmin" , "Yes", "No")
@@ -79,13 +80,14 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration =
 			adminwho += ", [C]"
 
 	reason = sql_sanitize_text(reason)
+	var/list/sqlargs = list("t_bantype" = bantype_str, "t_reason" = reason, "t_job" = job, "t_ckey" = ckey, "t_a_ckey" = a_ckey, "t_who" = who, "t_adminwho" = adminwho) //CHOMPEdit TGSQL
+	var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', :t_bantype, :t_reason, :t_job, [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, :t_ckey, '[computerid]', '[ip]', :t_a_ckey, '[a_computerid]', '[a_ip]', :t_who, :t_adminwho, '', null, null, null, null, null)" //CHOMPEdit TGSQL
 	
-	var/sql = "INSERT INTO erro_ban (`id`,`bantime`,`serverip`,`bantype`,`reason`,`job`,`duration`,`rounds`,`expiration_time`,`ckey`,`computerid`,`ip`,`a_ckey`,`a_computerid`,`a_ip`,`who`,`adminwho`,`edits`,`unbanned`,`unbanned_datetime`,`unbanned_ckey`,`unbanned_computerid`,`unbanned_ip`) VALUES (null, Now(), '[serverip]', '[bantype_str]', '[reason]', '[job]', [(duration)?"[duration]":"0"], [(rounds)?"[rounds]":"0"], Now() + INTERVAL [(duration>0) ? duration : 0] MINUTE, '[ckey]', '[computerid]', '[ip]', '[a_ckey]', '[a_computerid]', '[a_ip]', '[who]', '[adminwho]', '', null, null, null, null, null)"
+	var/DBQuery/query_insert = SSdbcore.NewQuery(sql,sqlargs) //CHOMPEdit TGSQL
-	var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
 	query_insert.Execute()
 	to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Ban saved to database.</font></span>")
 	message_admins("[key_name_admin(usr)] has added a [bantype_str] for [ckey] [(job)?"([job])":""] [(duration > 0)?"([duration] minutes)":""] with the reason: \"[reason]\" to the ban database.",1)
-
+	qdel(query_insert) //CHOMPEdit TGSQL
 
 
 datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
@@ -119,7 +121,7 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
 	else
 		bantype_sql = "bantype = '[bantype_str]'"
 
-	var/sql = "SELECT id FROM erro_ban WHERE ckey = '[ckey]' AND [bantype_sql] AND (unbanned is null OR unbanned = false)"
+	var/sql = "SELECT id FROM erro_ban WHERE ckey = :t_ckey AND [bantype_sql] AND (unbanned is null OR unbanned = false)" //CHOMPEdit TGSQL
 	if(job)
 		sql += " AND job = '[job]'"
 
@@ -130,12 +132,12 @@ datum/admins/proc/DB_ban_unban(var/ckey, var/bantype, var/job = "")
 	var/ban_id
 	var/ban_number = 0 //failsafe
 
-	var/DBQuery/query = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery(sql, list("t_ckey" = ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	while(query.NextRow())
 		ban_id = query.item[1]
 		ban_number++;
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(ban_number == 0)
 		to_chat(usr, "<span class='filter_adminlog'><font color='red'>Database update failed due to no bans fitting the search criteria. If this is not a legacy ban you should contact the database admin.</font></span>")
 		return
@@ -175,7 +177,7 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null)
 	else
 		to_chat(usr, "<span class='filter_adminlog'>Invalid ban id. Contact the database admin</span>")
 		return
-
+	qdel(query) //CHOMPEdit TGSQL
 	reason = sql_sanitize_text(reason)
 	var/value
 
@@ -187,20 +189,22 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null)
 				if(!value)
 					to_chat(usr, "Cancelled")
 					return
-
+			var/list/sqlargs = list("t_reason" = value, "t_edits" = "- [eckey] changed ban reason from <cite><b>\\\"[reason]\\\"</b></cite> to <cite><b>\\\"[value]\\\"</b></cite><BR>") //CHOMPEdit TGSQL
-			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,'- [eckey] changed ban reason from <cite><b>\\\"[reason]\\\"</b></cite> to <cite><b>\\\"[value]\\\"</b></cite><BR>') WHERE id = [banid]") //CHOMPEdit TGSQL
+			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET reason = '[value]', edits = CONCAT(edits,:t_edits) WHERE id = [banid]", sqlargs) //CHOMPEdit TGSQL
 			update_query.Execute()
 			message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s reason from [reason] to [value]",1)
+			qdel(update_query) //CHOMPEdit TGSQL
 		if("duration")
 			if(!value)
 				value = input("Insert the new duration (in minutes) for [pckey]'s ban", "New Duration", "[duration]", null) as null|num
 				if(!isnum(value) || !value)
 					to_chat(usr, "Cancelled")
 					return
-
+			var/list/sqlargs = list("t_edits" = "- [eckey] changed ban duration from [duration] to [value]<br>") //CHOMPEdit TGSQL
-			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,'- [eckey] changed ban duration from [duration] to [value]<br>'), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]") //CHOMPEdit TGSQL
+			var/DBQuery/update_query = SSdbcore.NewQuery("UPDATE erro_ban SET duration = [value], edits = CONCAT(edits,:t_edits), expiration_time = DATE_ADD(bantime, INTERVAL [value] MINUTE) WHERE id = [banid]",sqlargs) //CHOMPEdit TGSQL
 			message_admins("[key_name_admin(usr)] has edited a ban for [pckey]'s duration from [duration] to [value]",1)
 			update_query.Execute()
+			qdel(update_query) //CHOMPEdit TGSQL
 		if("unban")
 			if(alert("Unban [pckey]?", "Unban?", "Yes", "No") == "Yes")
 				DB_ban_unban_by_id(banid)
@@ -226,7 +230,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 	while(query.NextRow())
 		pckey = query.item[1]
 		ban_number++;
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(ban_number == 0)
 		to_chat(usr, "<span class='filter_adminlog'><font color='red'>Database update failed due to a ban id not being present in the database.</font></span>")
 		return
@@ -241,13 +245,13 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 	var/unban_ckey = src.owner:ckey
 	var/unban_computerid = src.owner:computer_id
 	var/unban_ip = src.owner:address
-
+	var/list/sqlargs = list("t_ckey" = unban_ckey) //CHOMPEdit TGSQL
-	var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = '[unban_ckey]', unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]"
+	var/sql_update = "UPDATE erro_ban SET unbanned = 1, unbanned_datetime = Now(), unbanned_ckey = :t_ckey, unbanned_computerid = '[unban_computerid]', unbanned_ip = '[unban_ip]' WHERE id = [id]" //CHOMPEdit TGSQL
 	message_admins("[key_name_admin(usr)] has lifted [pckey]'s ban.",1)
 
-	var/DBQuery/query_update = SSdbcore.NewQuery(sql_update) //CHOMPEdit TGSQL
+	var/DBQuery/query_update = SSdbcore.NewQuery(sql_update,sqlargs) //CHOMPEdit TGSQL
 	query_update.Execute()
-
+	qdel(query_update) //CHOMPEdit TGSQL
 
 /client/proc/DB_ban_panel()
 	set category = "Admin"
@@ -363,21 +367,26 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 			var/ipsearch = ""
 			var/cidsearch = ""
 			var/bantypesearch = ""
-
+			//CHOMPEdit Begin
+			var/list/sqlargs = list() 
 			if(!match)
 				if(adminckey)
-					adminsearch = "AND a_ckey = '[adminckey]' "
+					adminsearch = "AND a_ckey = :t_adminckey "
+					sqlargs["t_adminckey"] = adminckey
 				if(playerckey)
-					playersearch = "AND ckey = '[playerckey]' "
+					playersearch = "AND ckey = :t_playerckey "
+					sqlargs["t_playerckey"] = playerckey //CHOMPEdit End
 				if(playerip)
 					ipsearch  = "AND ip = '[playerip]' "
 				if(playercid)
 					cidsearch  = "AND computerid = '[playercid]' "
 			else
-				if(adminckey && length(adminckey) >= 3)
+				if(adminckey && length(adminckey) >= 3) //CHOMPEdit Begin
-					adminsearch = "AND a_ckey LIKE '[adminckey]%' "
+					adminsearch = "AND a_ckey LIKE CONCAT(:t_adminckey,'%') "
+					sqlargs["t_adminckey"] = adminckey
 				if(playerckey && length(playerckey) >= 3)
-					playersearch = "AND ckey LIKE '[playerckey]%' "
+					playersearch = "AND ckey LIKE CONCAT(:t_playerckey,'%') "
+					sqlargs["t_playerckey"] = playerckey //CHOMPEdit End
 				if(playerip && length(playerip) >= 3)
 					ipsearch  = "AND ip LIKE '[playerip]%' "
 				if(playercid && length(playercid) >= 7)
@@ -396,7 +405,7 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 					else
 						bantypesearch += "'PERMABAN' "
 
-			var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100") //CHOMPEdit TGSQL
+			var/DBQuery/select_query = SSdbcore.NewQuery("SELECT id, bantime, bantype, reason, job, duration, expiration_time, ckey, a_ckey, unbanned, unbanned_ckey, unbanned_datetime, edits, ip, computerid FROM erro_ban WHERE 1 [playersearch] [adminsearch] [ipsearch] [cidsearch] [bantypesearch] ORDER BY bantime DESC LIMIT 100", sqlargs) //CHOMPEdit TGSQL
 			select_query.Execute()
 
 			var/now = time2text(world.realtime, "YYYY-MM-DD hh:mm:ss") // MUST BE the same format as SQL gives us the dates in, and MUST be least to most specific (i.e. year, month, day not day, month, year)
@@ -475,5 +484,6 @@ datum/admins/proc/DB_ban_unban_by_id(var/id)
 				output += "</tr>"
 
 			output += "</table></div>"
+			qdel(select_query) //CHOMPEdit TGSQL
 
 	usr << browse(output,"window=lookupbans;size=900x700")

code/modules/admin/IsBanned.dm

@@ -52,7 +52,7 @@ world/IsBanned(key,address,computer_id)
 			failedcid = 0
 			cidquery = " OR computerid = '[computer_id]' "
 
-		var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = '[ckeytext]' [ipquery] [cidquery]) AND (bantype = 'PERMABAN'  OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("SELECT ckey, ip, computerid, a_ckey, reason, expiration_time, duration, bantime, bantype FROM erro_ban WHERE (ckey = :t_ckey [ipquery] [cidquery]) AND (bantype = 'PERMABAN'  OR (bantype = 'TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)", list("t_ckey" = ckeytext)) //CHOMPEdit TGSQL
 
 		query.Execute()
 
@@ -72,9 +72,9 @@ world/IsBanned(key,address,computer_id)
 				expires = " The ban is for [duration] minutes and expires on [expiration] (server time)."
 
 			var/desc = "\nReason: You, or another user of this computer or connection ([pckey]) is banned from playing here. The ban reason is:\n[reason]\nThis ban was applied by [ackey] on [bantime], [expires]"
-
+			qdel(query) //CHOMPEdit TGSQL
 			return list("reason"="[bantype]", "desc"="[desc]")
-
+		qdel(query) //CHOMPEdit TGSQL
 		if (failedcid)
 			message_admins("[key] has logged in with a blank computer id in the ban check.")
 		if (failedip)

code/modules/admin/admin_ranks.dm

@@ -135,6 +135,7 @@ var/list/admin_ranks = list()								//list of all ranks with associated rights
 
 			//find the client for a ckey if they are connected and associate them with the new admin datum
 			D.associate(GLOB.directory[ckey])
+		qdel(query) //CHOMPEdit TGSQL
 		if(!admin_datums)
 			error("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.")
 			log_misc("The database query in load_admins() resulted in no admins being added to the list. Reverting to legacy system.")

code/modules/admin/admin_tools.dm

@@ -45,7 +45,7 @@
 	//CHOMPEdit Begin
 	/*for(var/d in M.dialogue_log)
 		dat += "[d]<br>"*/
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = '[M.ckey]'")
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT mid,time,ckey,mob,type,message from erro_dialog WHERE ckey = :t_ckey", list("t_ckey" = M.ckey))
 	if(!query.Execute())
 		dat += "<i>Database query error</i>"
 	else
@@ -59,6 +59,7 @@
 			dat += "<fieldset style='border: 2px solid white; display: inline'>"
 			dat += messages
 			dat += "</fieldset>"
+	qdel(query)
 	//CHOMPEdit End
 	var/datum/browser/popup = new(usr, "admin_dialogue_log", "[src]", 650, 650, src)
 	popup.set_content(jointext(dat,null))

code/modules/admin/banjob.dm

@@ -85,7 +85,7 @@ DEBUG
 			var/job = query.item[2]
 
 			jobban_keylist.Add("[ckey] - [job]")
-
+		qdel(query) //CHOMPEdit TGSQL
 		//Job tempbans
 		var/DBQuery/query1 = SSdbcore.NewQuery("SELECT ckey, job FROM erro_ban WHERE bantype = 'JOB_TEMPBAN' AND isnull(unbanned) AND expiration_time > Now()") //CHOMPEdit TGSQL
 		query1.Execute()
@@ -95,6 +95,7 @@ DEBUG
 			var/job = query1.item[2]
 
 			jobban_keylist.Add("[ckey] - [job]")
+		qdel(query1) //CHOMPEdit TGSQL
 
 /proc/jobban_savebanfile()
 	var/savefile/S=new("data/job_full.ban")

code/modules/admin/permissionverbs/permissionedit.dm

@@ -79,19 +79,23 @@
 	while(select_query.NextRow())
 		new_admin = 0
 		admin_id = text2num(select_query.item[1])
-
+	qdel(select_query) //CHOMPEdit TGSQL
 	if(new_admin)
 		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO `erro_admin` (`id`, `ckey`, `rank`, `level`, `flags`) VALUES (null, '[adm_ckey]', '[new_rank]', -1, 0)") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added new admin [adm_ckey] to rank [new_rank]');") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>New admin added.</font></span>")
 	else
 		if(!isnull(admin_id) && isnum(admin_id))
 			var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET rank = '[new_rank]' WHERE id = [admin_id]") //CHOMPEdit TGSQL
 			insert_query.Execute()
+			qdel(insert_query) //CHOMPEdit TGSQL
 			var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Edited the rank of [adm_ckey] to [new_rank]');") //CHOMPEdit TGSQL
 			log_query.Execute()
+			qdel(log_query) //CHOMPEdit TGSQL
 			to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Admin rank changed.</font></span>")
 
 /datum/admins/proc/log_admin_permission_modification(var/adm_ckey, var/new_permission)
@@ -131,19 +135,23 @@
 	while(select_query.NextRow())
 		admin_id = text2num(select_query.item[1])
 		admin_rights = text2num(select_query.item[2])
-
+	qdel(select_query) //CHOMPEdit TGSQL
 	if(!admin_id)
 		return
 
 	if(admin_rights & new_permission) //This admin already has this permission, so we are removing it.
 		var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = [admin_rights & ~new_permission] WHERE id = [admin_id]") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Removed permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]');") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Permission removed.</font></span>")
 	else //This admin doesn't have this permission, so we are adding it.
 		var/DBQuery/insert_query = SSdbcore.NewQuery("UPDATE `erro_admin` SET flags = '[admin_rights | new_permission]' WHERE id = [admin_id]") //CHOMPEdit TGSQL
 		insert_query.Execute()
+		qdel(insert_query) //CHOMPEdit TGSQL
 		var/DBQuery/log_query = SSdbcore.NewQuery("INSERT INTO `test`.`erro_admin_log` (`id` ,`datetime` ,`adminckey` ,`adminip` ,`log` ) VALUES (NULL , NOW( ) , '[usr.ckey]', '[usr.client.address]', 'Added permission [rights2text(new_permission)] (flag = [new_permission]) to admin [adm_ckey]')") //CHOMPEdit TGSQL
 		log_query.Execute()
+		qdel(log_query) //CHOMPEdit TGSQL
 		to_chat(usr, "<span class='filter_adminlog'><font color='blue'>Permission added.</font></span>")

code/modules/admin/verbs/check_customitem_activity.dm

@@ -63,15 +63,16 @@ var/inactive_keys = "None<br>"
 			if(ckeys_with_customitems.Find(cur_ckey))
 				ckeys_with_customitems.Remove(cur_ckey)
 				inactive_ckeys[cur_ckey] = "last seen on [query_inactive.item[2]]"
+		qdel(query_inactive) //CHOMPEdit TGSQL
 
 	//if there are ckeys left over, check whether they have a database entry at all
 	if(ckeys_with_customitems.len)
 		for(var/cur_ckey in ckeys_with_customitems)
-			var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = '[cur_ckey]'") //CHOMPEdit TGSQL
+			var/DBQuery/query_inactive = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = cur_ckey)) //CHOMPEdit TGSQL
 			query_inactive.Execute()
 			if(!query_inactive.RowCount())
 				inactive_ckeys += cur_ckey
-
+			qdel(query_inactive) //CHOMPEdit TGSQL
 	if(inactive_ckeys.len)
 		inactive_keys = ""
 		for(var/cur_key in inactive_ckeys)

code/modules/client/client procs.dm

@@ -95,16 +95,18 @@
 
 		var/sql_discord = sql_sanitize_text(their_id)
 		var/sql_ckey = sql_sanitize_text(ckey)
-		var/DBQuery/query = SSdbcore.NewQuery("UPDATE erro_player SET discord_id = '[sql_discord]' WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("UPDATE erro_player SET discord_id = :t_discord_id WHERE ckey = :t_ckey", list("t_discord_id" = sql_discord, "t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 		if(query.Execute())
 			to_chat(src, "<span class='notice'>Registration complete! Thank you for taking the time to register your Discord ID.</span>")
 			log_and_message_admins("[ckey] has registered their Discord ID. Their Discord snowflake ID is: [their_id]") //YW EDIT
 			admin_chat_message(message = "[ckey] has registered their Discord ID. Their Discord is: <@[their_id]>", color = "#4eff22") //YW EDIT
 			notes_add(ckey, "Discord ID: [their_id]")
 			world.VgsAddMemberRole(their_id)
+			qdel(query) //CHOMPEdit TGSQL
 		else
 			to_chat(src, "<span class='warning'>There was an error registering your Discord ID in the database. Contact an administrator.</span>")
 			log_and_message_admins("[ckey] failed to register their Discord ID. Their Discord snowflake ID is: [their_id]. Is the database connected?")
+			qdel(query) //CHOMPEdit TGSQL
 		return
 	//VOREStation Add End
 
@@ -279,13 +281,17 @@
 
 	var/sql_ckey = sql_sanitize_text(ckey(key))
 
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 	query.Execute()
-
+	//CHOMPEdit Begin
 	if(query.NextRow())
-		return text2num(query.item[1])
+		var/outp = text2num(query.item[1])
+		qdel(query)
+		return outp
 	else
+		qdel(query)
 		return -1
+	//CHOMPEdit End
 
 
 /client/proc/log_client_to_db()
@@ -299,7 +305,7 @@
 
 	var/sql_ckey = sql_sanitize_text(src.ckey)
 
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT id, datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT id, datediff(Now(),firstseen) as age FROM erro_player WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	var/sql_id = 0
 	player_age = 0	// New players won't have an entry so knowing we have a connection we set this to zero to be updated if their is a record.
@@ -307,12 +313,13 @@
 		sql_id = query.item[1]
 		player_age = text2num(query.item[2])
 		break
-
+	qdel(query) //CHOMPEdit TGSQL
 	account_join_date = sanitizeSQL(findJoinDate())
 	if(account_join_date && SSdbcore.IsConnected()) //CHOMPEdit TGSQL
 		var/DBQuery/query_datediff = SSdbcore.NewQuery("SELECT DATEDIFF(Now(),'[account_join_date]')") //CHOMPEdit TGSQL
 		if(query_datediff.Execute() && query_datediff.NextRow())
 			account_age = text2num(query_datediff.item[1])
+		qdel(query_datediff) //CHOMPEdit TGSQL
 
 	var/DBQuery/query_ip = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE ip = '[address]'") //CHOMPEdit TGSQL
 	query_ip.Execute()
@@ -320,14 +327,14 @@
 	while(query_ip.NextRow())
 		related_accounts_ip += "[query_ip.item[1]], "
 		break
-
+	qdel(query_ip) //CHOMPEdit TGSQL
 	var/DBQuery/query_cid = SSdbcore.NewQuery("SELECT ckey FROM erro_player WHERE computerid = '[computer_id]'") //CHOMPEdit TGSQL
 	query_cid.Execute()
 	related_accounts_cid = ""
 	while(query_cid.NextRow())
 		related_accounts_cid += "[query_cid.item[1]], "
 		break
-
+	qdel(query_cid) //CHOMPEdit TGSQL
 	//Just the standard check to see if it's actually a number
 	if(sql_id)
 		if(istext(sql_id))
@@ -376,7 +383,7 @@
 			log_admin("Couldn't perform IP check on [key] with [address]")
 
 	// VOREStation Edit Start - Department Hours
-	var/DBQuery/query_hours = SSdbcore.NewQuery("SELECT department, hours, total_hours FROM vr_player_hours WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query_hours = SSdbcore.NewQuery("SELECT department, hours, total_hours FROM vr_player_hours WHERE ckey = :t_ckey", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 	if(query_hours.Execute())
 		while(query_hours.NextRow())
 			department_hours[query_hours.item[1]] = text2num(query_hours.item[2])
@@ -387,20 +394,23 @@
 		spawn(0)
 			alert(src, "The query to load your existing playtime failed. Screenshot this, give the screenshot to a developer, and reconnect, otherwise you may lose any recorded play hours (which may limit access to jobs). ERROR: [error_message]", "PROBLEMS!!")
 	// VOREStation Edit End - Department Hours
-
+	qdel(query_hours) //CHOMPEdit TGSQL
 	if(sql_id)
 		//Player already identified previously, we need to just update the 'lastseen', 'ip' and 'computer_id' variables
 		var/DBQuery/query_update = SSdbcore.NewQuery("UPDATE erro_player SET lastseen = Now(), ip = '[sql_ip]', computerid = '[sql_computerid]', lastadminrank = '[sql_admin_rank]' WHERE id = [sql_id]") //CHOMPEdit TGSQL
 		query_update.Execute()
+		qdel(query_update) //CHOMPEdit TGSQL
 	else
 		//New player!! Need to insert all the stuff
-		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_player (id, ckey, firstseen, lastseen, ip, computerid, lastadminrank) VALUES (null, '[sql_ckey]', Now(), Now(), '[sql_ip]', '[sql_computerid]', '[sql_admin_rank]')") //CHOMPEdit TGSQL
+		var/DBQuery/query_insert = SSdbcore.NewQuery("INSERT INTO erro_player (id, ckey, firstseen, lastseen, ip, computerid, lastadminrank) VALUES (null, :t_ckey, Now(), Now(), '[sql_ip]', '[sql_computerid]', '[sql_admin_rank]')", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 		query_insert.Execute()
+		qdel(query_insert) //CHOMPEdit TGSQL
 
 	//Logging player access
 	var/serverip = "[world.internet_address]:[world.port]"
-	var/DBQuery/query_accesslog = SSdbcore.NewQuery("INSERT INTO `erro_connection_log`(`id`,`datetime`,`serverip`,`ckey`,`ip`,`computerid`) VALUES(null,Now(),'[serverip]','[sql_ckey]','[sql_ip]','[sql_computerid]');") //CHOMPEdit TGSQL
+	var/DBQuery/query_accesslog = SSdbcore.NewQuery("INSERT INTO `erro_connection_log`(`id`,`datetime`,`serverip`,`ckey`,`ip`,`computerid`) VALUES(null,Now(),'[serverip]',:t_ckey,'[sql_ip]','[sql_computerid]');", list("t_ckey" = sql_ckey)) //CHOMPEdit TGSQL
 	query_accesslog.Execute()
+	qdel(query_accesslog) //CHOMPEdit TGSQL
 
 #undef TOPIC_SPAM_DELAY
 #undef UPLOAD_LIMIT

code/modules/library/lib_machines.dm

@@ -31,6 +31,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 	var/category = "Any"
 	var/author
 	var/SQLquery
+	var/list/SQLargs //CHOMPEdit TGSQL
 
 /obj/machinery/librarypubliccomp/attack_hand(var/mob/user as mob)
 	usr.set_machine(src)
@@ -52,7 +53,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 				dat += {"<table>
 				<tr><td>AUTHOR</td><td>TITLE</td><td>CATEGORY</td><td>SS<sup>13</sup>BN</td></tr>"}
 
-				var/DBQuery/query = SSdbcore.NewQuery(SQLquery) //CHOMPEdit TGSQL
+				var/DBQuery/query = SSdbcore.NewQuery(SQLquery, SQLargs) //CHOMPEdit TGSQL
 				query.Execute()
 
 				while(query.NextRow())
@@ -61,6 +62,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 					var/category = query.item[3]
 					var/id = query.item[4]
 					dat += "<tr><td>[author]</td><td>[title]</td><td>[category]</td><td>[id]</td></tr>"
+				qdel(query)
 				dat += "</table><BR>"
 			dat += "<A href='?src=\ref[src];back=1'>\[Go Back\]</A><BR>"
 	user << browse(dat, "window=publiclibrary")
@@ -95,10 +97,16 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 		author = sanitizeSQL(author)
 	if(href_list["search"])
 		SQLquery = "SELECT author, title, category, id FROM library WHERE "
+		SQLargs = list() //CHOMPEdit begin
 		if(category == "Any")
-			SQLquery += "author LIKE '%[author]%' AND title LIKE '%[title]%'"
+			SQLquery += "author LIKE '%:t_author%' AND title LIKE '%:t_title%'"
+			SQLargs["t_author"] = author
+			SQLargs["t_title"] = title
 		else
-			SQLquery += "author LIKE '%[author]%' AND title LIKE '%[title]%' AND category='[category]'"
+			SQLquery += "author LIKE CONCAT('%',:t_author,'%') AND title LIKE CONCAT('%',:t_title,'%') AND category=:t_category"
+			SQLargs["t_author"] = author
+			SQLargs["t_title"] = title
+			SQLargs["t_category"] = category //CHOMPEdit End
 		screenstate = 1
 
 	if(href_list["back"])
@@ -283,7 +291,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 				dat += {"<A href='?src=\ref[src];orderbyid=1'>(Order book by SS<sup>13</sup>BN)</A><BR><BR>
 				<table>
 				<tr><td><A href='?src=\ref[src];sort=author>AUTHOR</A></td><td><A href='?src=\ref[src];sort=title>TITLE</A></td><td><A href='?src=\ref[src];sort=category>CATEGORY</A></td><td></td></tr>"}
-				var/DBQuery/query = SSdbcore.NewQuery("SELECT id, author, title, category FROM library ORDER BY [sortby]") //CHOMPEdit TGSQL
+				var/DBQuery/query = SSdbcore.NewQuery("SELECT id, author, title, category FROM library ORDER BY :t_sortby", list("t_sortby" = sortby)) //CHOMPEdit TGSQL
 				query.Execute()
 
 				while(query.NextRow())
@@ -292,6 +300,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 					var/title = query.item[3]
 					var/category = query.item[4]
 					dat += "<tr><td>[author]</td><td>[title]</td><td>[category]</td><td><A href='?src=\ref[src];targetid=[id]'>\[Order\]</A></td></tr>"
+				qdel(query) //CHOMPEdit TGSQL
 				dat += "</table>"
 			dat += "<BR><A href='?src=\ref[src];switchscreen=0'>(Return to main menu)</A><BR>"
 
@@ -411,16 +420,18 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 							var/sqlcontent = dbcon.Quote(scanner.cache.dat)
 							var/sqlcategory = dbcon.Quote(upload_category)
 							*/
-							var/sqltitle = sanitizeSQL(scanner.cache.name)
+							var/list/sql_args = list("t_title" = scanner.cache.name, "t_author" = scanner.cache.author, "t_content" = scanner.cache.dat, "t_category" = upload_category) //CHOMPEdit TGSQL
+							/*var/sqltitle = sanitizeSQL(scanner.cache.name) CHOMPEdit TGSQL
 							var/sqlauthor = sanitizeSQL(scanner.cache.author)
 							var/sqlcontent = sanitizeSQL(scanner.cache.dat)
-							var/sqlcategory = sanitizeSQL(upload_category)
+							var/sqlcategory = sanitizeSQL(upload_category)*/
-							var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO library (author, title, content, category) VALUES ('[sqlauthor]', '[sqltitle]', '[sqlcontent]', '[sqlcategory]')") //CHOMPEdit TGSQL
+							var/DBQuery/query = SSdbcore.NewQuery("INSERT INTO library (author, title, content, category) VALUES (:t_author, :t_title, :t_content, :t_category)", sql_args) //CHOMPEdit TGSQL
 							if(!query.Execute())
 								to_chat(usr,query.ErrorMsg())
 							else
 								log_game("[usr.name]/[usr.key] has uploaded the book titled [scanner.cache.name], [length(scanner.cache.dat)] signs")
 								alert("Upload Complete.")
+							qdel(query) //CHOMPEdit TGSQL
 	//VOREStation Edit End
 
 	if(href_list["targetid"])
@@ -451,6 +462,7 @@ datum/borrowbook // Datum used to keep track of who has borrowed what when and f
 				B.item_state = B.icon_state
 				src.visible_message("[src]'s printer hums as it produces a completely bound book. How did it do that?")
 				break
+			qdel(query) //CHOMPEdit TGSQL
 	if(href_list["orderbyid"])
 		var/orderid = input("Enter your order:") as num|null
 		if(orderid)

code/modules/mob/new_player/new_player.dm

@@ -50,13 +50,13 @@
 			var/isadmin = 0
 			if(src.client && src.client.holder)
 				isadmin = 1
-			var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_poll_question WHERE [(isadmin ? "" : "adminonly = false AND")] Now() BETWEEN starttime AND endtime AND id NOT IN (SELECT pollid FROM erro_poll_vote WHERE ckey = \"[ckey]\") AND id NOT IN (SELECT pollid FROM erro_poll_textreply WHERE ckey = \"[ckey]\")") //CHOMPEdit TGSQL
+			var/DBQuery/query = SSdbcore.NewQuery("SELECT id FROM erro_poll_question WHERE [(isadmin ? "" : "adminonly = false AND")] Now() BETWEEN starttime AND endtime AND id NOT IN (SELECT pollid FROM erro_poll_vote WHERE ckey = :t_ckey) AND id NOT IN (SELECT pollid FROM erro_poll_textreply WHERE ckey = :t_ckey)",list("t_ckey" = ckey)) //CHOMPEdit TGSQL
 			query.Execute()
 			var/newpoll = 0
 			while(query.NextRow())
 				newpoll = 1
 				break
-
+			qdel(query) //CHOMPEdit TGSQL
 			if(newpoll)
 				output += "<p><b><a href='byond://?src=\ref[src];showpoll=1'>Show Player Polls</A> (NEW!)</b></p>"
 			else
@@ -221,12 +221,12 @@
 		var/voted = 0
 
 		//First check if the person has not voted yet.
-		var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey='[src.ckey]'") //CHOMPEdit TGSQL
+		var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey=:t_ckey", list("t_ckey" = src.ckey)) //CHOMPEdit TGSQL
 		query.Execute()
 		while(query.NextRow())
 			voted = 1
 			break
-
+		qdel(query) //CHOMPEdit TGSQL
 		//This is a safety switch, so only valid options pass through
 		var/option = "UNKNOWN"
 		switch(href_list["privacy_poll"])
@@ -246,10 +246,12 @@
 			return
 
 		if(!voted)
-			var/sql = "INSERT INTO erro_privacy VALUES (null, Now(), '[src.ckey]', '[option]')"
+			var/list/sqlargs = list("t_ckey" = src.ckey, "t_option" = "[option]") //CHOMPEdit TGSQL
-			var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
+			var/sql = "INSERT INTO erro_privacy VALUES (null, Now(), :t_ckey, :t_option)" //CHOMPEdit TGSQL
+			var/DBQuery/query_insert = SSdbcore.NewQuery(sql,sqlargs) //CHOMPEdit TGSQL
 			query_insert.Execute()
 			to_chat(usr, "<b>Thank you for your vote!</b>")
+			qdel(query_insert)
 			usr << browse(null,"window=privacypoll")
 
 	if(!ready && href_list["preference"])

code/modules/mob/new_player/poll.dm

@@ -5,12 +5,12 @@
 		return
 	var/voted = 0
 
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey='[src.ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT * FROM erro_privacy WHERE ckey=:t_ckey", list("t_ckey" = src.ckey)) //CHOMPEdit TGSQL
 	query.Execute()
 	while(query.NextRow())
 		voted = 1
 		break
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(!voted)
 		privacy_poll()
 
@@ -72,7 +72,7 @@
 			pollquestion = select_query.item[2]
 			output += "<tr bgcolor='[ (i % 2 == 1) ? color1 : color2 ]'><td><a href=\"byond://?src=\ref[src];pollid=[pollid]\"><b>[pollquestion]</b></a></td></tr>"
 			i++
-
+		qdel(select_query) //CHOMPEdit TGSQL
 		output += "</table>"
 
 		src << browse(output,"window=playerpolllist;size=500x300")
@@ -101,7 +101,7 @@
 			polltype = select_query.item[4]
 			found = 1
 			break
-
+		qdel(select_query) //CHOMPEdit TGSQL
 		if(!found)
 			to_chat(usr, "<font color='red'>Poll question details not found.</font>")
 			return
@@ -109,7 +109,7 @@
 		switch(polltype)
 			//Polls that have enumerated options
 			if("OPTION")
-				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 				voted_query.Execute()
 
 				var/voted = 0
@@ -118,7 +118,7 @@
 					votedoptionid = text2num(voted_query.item[1])
 					voted = 1
 					break
-
+				qdel(voted_query) //CHOMPEdit TGSQL
 				var/list/datum/polloption/options = list()
 
 				var/DBQuery/options_query = SSdbcore.NewQuery("SELECT id, text FROM erro_poll_option WHERE pollid = [pollid]") //CHOMPEdit TGSQL
@@ -128,7 +128,7 @@
 					PO.optionid = text2num(options_query.item[1])
 					PO.optiontext = options_query.item[2]
 					options += PO
-
+				qdel(options_query) //CHOMPEdit TGSQL
 				var/output = "<div align='center'><B>Player poll</B>"
 				output +="<hr>"
 				output += "<b>Question: [pollquestion]</b><br>"
@@ -162,7 +162,7 @@
 
 			//Polls with a text input
 			if("TEXT")
-				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT replytext FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT replytext FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 				voted_query.Execute()
 
 				var/voted = 0
@@ -171,7 +171,7 @@
 					vote_text = voted_query.item[1]
 					voted = 1
 					break
-
+				qdel(voted_query) //CHOMPEdit TGSQL
 
 				var/output = "<div align='center'><B>Player poll</B>"
 				output +="<hr>"
@@ -204,7 +204,7 @@
 
 			//Polls with a text input
 			if("NUMVAL")
-				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT o.text, v.rating FROM erro_poll_option o, erro_poll_vote v WHERE o.pollid = [pollid] AND v.ckey = '[usr.ckey]' AND o.id = v.optionid") //CHOMPEdit TGSQL
+				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT o.text, v.rating FROM erro_poll_option o, erro_poll_vote v WHERE o.pollid = [pollid] AND v.ckey = :t_ckey AND o.id = v.optionid", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 				voted_query.Execute()
 
 				var/output = "<div align='center'><B>Player poll</B>"
@@ -220,7 +220,7 @@
 					var/rating = voted_query.item[2]
 
 					output += "<br><b>[optiontext] - [rating]</b>"
-
+				qdel(voted_query) //CHOMPEdit TGSQL
 				if(!voted)	//Only make this a form if we have not voted yet
 					output += "<form name='cardcomp' action='?src=\ref[src]' method='get'>"
 					output += "<input type='hidden' name='src' value='\ref[src]'>"
@@ -264,7 +264,7 @@
 								output += "<option value='[j]'>[j]</option>"
 
 						output += "</select>"
-
+					qdel(option_query) //CHOMPEdit TGSQL
 					output += "<input type='hidden' name='minid' value='[minid]'>"
 					output += "<input type='hidden' name='maxid' value='[maxid]'>"
 
@@ -273,7 +273,7 @@
 
 				src << browse(output,"window=playerpoll;size=500x500")
 			if("MULTICHOICE")
-				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+				var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT optionid FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 				voted_query.Execute()
 
 				var/list/votedfor = list()
@@ -281,7 +281,7 @@
 				while(voted_query.NextRow())
 					votedfor.Add(text2num(voted_query.item[1]))
 					voted = 1
-
+				qdel(voted_query) //CHOMPEdit TGSQL
 				var/list/datum/polloption/options = list()
 				var/maxoptionid = 0
 				var/minoptionid = 0
@@ -297,7 +297,7 @@
 					if(PO.optionid < minoptionid || !minoptionid)
 						minoptionid = PO.optionid
 					options += PO
-
+				qdel(options_query) //CHOMPEdit TGSQL
 
 				if(select_query.item[5])
 					multiplechoiceoptions = text2num(select_query.item[5])
@@ -358,7 +358,7 @@
 			if(select_query.item[5])
 				multiplechoiceoptions = text2num(select_query.item[5])
 			break
-
+		qdel(select_query) //CHOMPEdit TGSQL
 		if(!validpoll)
 			to_chat(usr, "<font color='red'>Poll is not valid.</font>")
 			return
@@ -378,14 +378,14 @@
 
 		var/alreadyvoted = 0
 
-		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 		voted_query.Execute()
 
 		while(voted_query.NextRow())
 			alreadyvoted += 1
 			if(!multichoice)
 				break
-
+		qdel(voted_query) //CHOMPEdit TGSQL
 		if(!multichoice && alreadyvoted)
 			to_chat(usr, "<font color='red'>You already voted in this poll.</font>")
 			return
@@ -399,10 +399,11 @@
 			adminrank = usr.client.holder.rank
 
 
-		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]')") //CHOMPEdit TGSQL
+		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank) VALUES (null, Now(), [pollid], [optionid], :t_ckey, '[usr.client.address]', '[adminrank]')", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 		insert_query.Execute()
 
 		to_chat(usr, "<font color='blue'>Vote successful.</font>")
+		qdel(insert_query) //CHOMPEdit TGSQL
 		usr << browse(null,"window=playerpoll")
 
 
@@ -425,20 +426,20 @@
 				return
 			validpoll = 1
 			break
-
+		qdel(select_query) //CHOMPEdit TGSQL
 		if(!validpoll)
 			to_chat(usr, "<font color='red'>Poll is not valid.</font>")
 			return
 
 		var/alreadyvoted = 0
 
-		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_textreply WHERE pollid = [pollid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 		voted_query.Execute()
 
 		while(voted_query.NextRow())
 			alreadyvoted = 1
 			break
-
+		qdel(voted_query) //CHOMPEdit TGSQL
 		if(alreadyvoted)
 			to_chat(usr, "<font color='red'>You already sent your feedback for this poll.</font>")
 			return
@@ -457,10 +458,11 @@
 			to_chat(usr, "The text you entered was blank, contained illegal characters or was too long. Please correct the text and submit again.")
 			return
 
-		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_textreply (id ,datetime ,pollid ,ckey ,ip ,replytext ,adminrank) VALUES (null, Now(), [pollid], '[usr.ckey]', '[usr.client.address]', '[replytext]', '[adminrank]')") //CHOMPEdit TGSQL
+		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_textreply (id ,datetime ,pollid ,ckey ,ip ,replytext ,adminrank) VALUES (null, Now(), [pollid], :t_ckey, '[usr.client.address]', :t_reply, '[adminrank]')", list("t_ckey" = usr.ckey, "t_reply" = replytext)) //CHOMPEdit TGSQL
 		insert_query.Execute()
 
 		to_chat(usr, "<font color='blue'>Feedback logging successful.</font>")
+		qdel(insert_query) //CHOMPEdit TGSQL
 		usr << browse(null,"window=playerpoll")
 
 
@@ -483,7 +485,7 @@
 				return
 			validpoll = 1
 			break
-
+		qdel(select_query) //CHOMPEdit TGSQL
 		if(!validpoll)
 			to_chat(usr, "<font color='red'>Poll is not valid.</font>")
 			return
@@ -496,20 +498,20 @@
 		while(select_query2.NextRow())
 			validoption = 1
 			break
-
+		qdel(select_query2) //CHOMPEdit TGSQL
 		if(!validoption)
 			to_chat(usr, "<font color='red'>Poll option is not valid.</font>")
 			return
 
 		var/alreadyvoted = 0
 
-		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE optionid = [optionid] AND ckey = '[usr.ckey]'") //CHOMPEdit TGSQL
+		var/DBQuery/voted_query = SSdbcore.NewQuery("SELECT id FROM erro_poll_vote WHERE optionid = [optionid] AND ckey = :t_ckey", list("t_ckey" = usr.ckey)) //CHOMPEdit TGSQL
 		voted_query.Execute()
 
 		while(voted_query.NextRow())
 			alreadyvoted = 1
 			break
-
+		qdel(voted_query) //CHOMPEdit TGSQL
 		if(alreadyvoted)
 			to_chat(usr, "<font color='red'>You already voted in this poll.</font>")
 			return
@@ -519,8 +521,9 @@
 			adminrank = usr.client.holder.rank
 
 
-		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank, rating) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]', [(isnull(rating)) ? "null" : rating])") //CHOMPEdit TGSQL
+		var/DBQuery/insert_query = SSdbcore.NewQuery("INSERT INTO erro_poll_vote (id ,datetime ,pollid ,optionid ,ckey ,ip ,adminrank, rating) VALUES (null, Now(), [pollid], [optionid], '[usr.ckey]', '[usr.client.address]', '[adminrank]', :t_rating)", list("t_ckey" = usr.ckey, "t_rating" = rating)) //CHOMPEdit TGSQL
 		insert_query.Execute()
 
 		to_chat(usr, "<font color='blue'>Vote successful.</font>")
+		qdel(insert_query) //CHOMPEdit TGSQL
 		usr << browse(null,"window=playerpoll")

code/modules/research/message_server.dm

@@ -353,17 +353,19 @@ var/obj/machinery/blackbox_recorder/blackbox
 	query.Execute()
 	while(query.NextRow())
 		round_id = query.item[1]
-
+	qdel(query) //CHOMPEdit TGSQL
 	if(!isnum(round_id))
 		round_id = text2num(round_id)
 	round_id++
 
 	for(var/datum/feedback_variable/FV in feedback)
-		var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), [round_id], \"[FV.get_variable()]\", [FV.get_value()], \"[FV.get_details()]\")"
+		var/list/sqlargs = list("t_roundid" = round_id, "t_variable" = "[FV.get_variable()]", "t_value" = "[FV.get_value()]", "t_details" = "[FV.get_details()]") //CHOMPEdit TGSQL
-		var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
+		var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), :t_roundid, :t_variable, :t_value, :t_details)" //CHOMPEdit TGSQL
+		var/DBQuery/query_insert = SSdbcore.NewQuery(sql, sqlargs) //CHOMPEdit TGSQL
 		query_insert.Execute()
+		qdel(query_insert) //CHOMPEdit TGSQL
 
-// Sanitize inputs to avoid SQL injection attacks
+// Sanitize inputs to avoid SQL injection attacks //CHOMPEdit NOTE: This is not secure. Basic filters like this are pretty easy to bypass. Use the format for arguments used in the above.
 proc/sql_sanitize_text(var/text)
 	text = replacetext(text, "'", "''")
 	text = replacetext(text, ";", "")

code/modules/tgs/v5/chat_commands.dm

@@ -71,12 +71,13 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations)
 
 /datum/tgs_chat_command/register/Run(datum/tgs_chat_user/sender, params)
 	// Try to find if that ID is registered to someone already
-	var/sql_discord = sql_sanitize_text(sender.id)
+	//var/sql_discord = sql_sanitize_text(sender.id) //CHOMPEdit TGSQL
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = '[sql_discord]'") //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = :t_discord", list("t_discord"=sender.id)) //CHOMPEdit TGSQL
 	query.Execute()
 	if(query.NextRow())
+		qdel(query) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], your Discord ID is already registered to a Byond username. Please contact an administrator if you changed your Byond username or Discord ID."
-	
+	qdel(query) //CHOMPEdit TGSQL
 	var/key_to_find = "[ckey(params)]"
 
 	// They didn't provide anything worth looking up.
@@ -94,18 +95,20 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations)
 	if(!user)
 		return "[sender.friendly_name], I couldn't find a logged-in user with the username of '[key_to_find]', which is what you provided after conversion to Byond's ckey format. Please connect to the game server and try again."
 	
-	var/sql_ckey = sql_sanitize_text(key_to_find)
+	//var/sql_ckey = sql_sanitize_text(key_to_find) //CHOMPEdit TGSQL
-	query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
+	var/DBQuery/query2 = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = :t_ckey",list("t_ckey" = key_to_find)) //CHOMPEdit TGSQL
-	query.Execute()
+	query2.Execute() //CHOMPEdit TGSQL
 
 	// We somehow found their client, BUT they don't exist in the database
-	if(!query.NextRow())
+	if(!query2.NextRow()) //CHOMPEdit TGSQL
+		qdel(query2) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], the server's database is either not responding or there's no evidence you've ever logged in. Please contact an administrator."
 	
 	// We found them in the database, AND they already have a discord ID assigned
-	if(query.item[1])
+	if(query2.item[1]) //CHOMPEdit TGSQL
+		qdel(query2) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], it appears you've already registered your chat and game IDs. If you've changed game or chat usernames, please contact an administrator for help."
-		
+	qdel(query2) //CHOMPEdit TGSQL
 	// Okay. We found them, they're in the DB, and they have no discord ID set.
 	var/message = "<span class='notice'>A request has been sent from Discord to validate your Byond username, by '[sender.friendly_name]' in '[sender.channel.friendly_name]'</span>\
 	<br><span class='warning'>If you did not send this request, do not click the link below, and do notify an administrator in-game or on Discord ASAP.</span>\