From 9b1b7faef18c099b6551b6e0b6a720e87dffd347 Mon Sep 17 00:00:00 2001
From: creeper123123321 <7974274+creeper123123321@users.noreply.github.com>
Date: Wed, 13 Jul 2022 19:15:15 -0300
Subject: [PATCH] use PreparedStatements

---
 .../connect/storage/AbstractSQLStorageManager.java    | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/geysermc/connect/storage/AbstractSQLStorageManager.java b/src/main/java/org/geysermc/connect/storage/AbstractSQLStorageManager.java
index c98f408..6123ea1 100644
--- a/src/main/java/org/geysermc/connect/storage/AbstractSQLStorageManager.java
+++ b/src/main/java/org/geysermc/connect/storage/AbstractSQLStorageManager.java
@@ -67,8 +67,10 @@ public abstract class AbstractSQLStorageManager extends AbstractStorageManager {
 
     @Override
     public void saveServers(Player player) {
-        try (Statement updatePlayersServers = connection.createStatement()) {
-            updatePlayersServers.executeUpdate("INSERT OR REPLACE INTO players(xuid, servers) VALUES('" + player.getAuthData().xuid() + "', '" + mapper.writeValueAsString(player.getServers()) + "');");
+        try (PreparedStatement updatePlayersServers = connection.prepareStatement("INSERT OR REPLACE INTO players(xuid, servers) VALUES(?, ?)")) {
+            updatePlayersServers.setString(1, player.getAuthData().xuid());
+            updatePlayersServers.setString(2, mapper.writeValueAsString(player.getServers()));
+            updatePlayersServers.executeUpdate();
         } catch (IOException | SQLException exception) {
             MasterServer.getInstance().getLogger().error("Couldn't save servers for " + player.getAuthData().name(), exception);
         }
@@ -78,8 +80,9 @@ public abstract class AbstractSQLStorageManager extends AbstractStorageManager {
     public List<Server> loadServers(Player player) {
         List<Server> servers = new ArrayList<>();
 
-        try (Statement getPlayersServers = connection.createStatement()) {
-            ResultSet rs = getPlayersServers.executeQuery("SELECT servers FROM players WHERE xuid='" + player.getAuthData().xuid() + "';");
+        try (PreparedStatement getPlayersServers = connection.prepareStatement("SELECT servers FROM players WHERE xuid=?")) {
+            getPlayersServers.setString(1, player.getAuthData().xuid());
+            ResultSet rs = getPlayersServers.executeQuery();
 
             while (rs.next()) {
                 List<Server> loadedServers = mapper.readValue(rs.getString("servers"), new TypeReference<>() {