From: Hendrik <nh...@us...> - 2006-09-26 19:27:53
|
Update of /cvsroot/arianne/marauroa/src/marauroa/server/game In directory sc8-pr-cvs11.sourceforge.net:/tmp/cvs-serv9965/src/marauroa/server/game Modified Files: JDBCPlayerDatabase.java Log Message: improved logging of game events Index: JDBCPlayerDatabase.java =================================================================== RCS file: /cvsroot/arianne/marauroa/src/marauroa/server/game/JDBCPlayerDatabase.java,v retrieving revision 1.27 retrieving revision 1.28 diff -C2 -d -r1.27 -r1.28 *** JDBCPlayerDatabase.java 26 Aug 2006 20:00:31 -0000 1.27 --- JDBCPlayerDatabase.java 26 Sep 2006 19:27:40 -0000 1.28 *************** *** 101,104 **** --- 101,122 ---- } + /** + * Escapes ' and \ in a string so that the result can be passed into an + * SQL command. The parameter has be quoted using ' in the sql. Most + * database engines accept single quotes around numbers as well. + * <p>Please note that special characters for LIKE and other matching + * commands are not quotes. The result of this method is suiteable for + * INSERT, UPDATE and an "=" operator in the WHERE part. + * + * @param param string to quote + * @return quoted string + */ + public String escapeSQLString(String param) { + if (param == null) { + return param; + } + return param.replace("'", "''").replace("\\", "\\\\"); + } + private static IPlayerDatabase playerDatabase = null; *************** *** 497,517 **** } } - // This code is unused. I think it was a workaround some transaction - // issues on 0.90 - // else - // { - // Connection connection1 = - // ((JDBCTransaction)trans).getConnection(); - // Statement stmt1 = connection1.createStatement(); - // String query1 = "select * from player;"; - // logger.debug("verifyAccount is executing query "+query1); - // ResultSet result1 = stmt1.executeQuery(query1); - // while(result1.next()) - // { - // logger.debug(result1.getString("id")+"\t"+result1.getString("username")+"\t"+result1.getString("password")); - // } - // result1.close(); - // } - return false; } catch (Exception e) { --- 515,518 ---- *************** *** 1433,1438 **** Statement stmt = connection.createStatement(); StringBuffer param = new StringBuffer(); - if (params.length > 1) { for (int i = 1; i < params.length; i++) { --- 1434,1439 ---- Statement stmt = connection.createStatement(); + String firstParam = (params.length > 0 ? params[0] : ""); StringBuffer param = new StringBuffer(); if (params.length > 1) { for (int i = 1; i < params.length; i++) { *************** *** 1442,1473 **** } - try { - if (!validString(source) || !validString(event) - || !validString(param.toString())) { - logger - .info("Game event not logged because invalid strings: \"" - + source - + "\",\"" - + event - + "\",\"" - + param + "\""); - return; - } - } catch (Exception e) { - logger.info("Game event not logged because invalid strings: \"" - + source + "\",\"" + event + "\",\"" + param + "\"", e); - return; - } - - String firstParam = (params.length > 0 ? params[0] : ""); - String query = "insert into gameEvents(timedate, source, event, param1, param2) values(NULL,'" ! + source + "','" ! + event + "','" ! + firstParam + "','" ! + param.toString() + "')"; stmt.execute(query); stmt.close(); --- 1443,1454 ---- } String query = "insert into gameEvents(timedate, source, event, param1, param2) values(NULL,'" ! + escapeSQLString(source) + "','" ! + escapeSQLString(event) + "','" ! + escapeSQLString(firstParam) + "','" ! + escapeSQLString(param.toString()) + "')"; stmt.execute(query); stmt.close(); |