project-redbud/FunGame-Server
6
1
Fork 0
mirror of https://github.com/project-redbud/FunGame-Server.git synced 2025-04-22 03:59:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

添加 SQL 参数化查询,防止 SQL 注入;SQL 查询结果优化

Browse Source
This commit is contained in:
milimoe 2025-01-10 19:44:36 +08:00
parent 146517ecf7
commit 38945accd4
Signed by: milimoe
GPG Key ID: 05D280912DA6C69E
6 changed files with 69 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
FunGame.Server/Controllers/DataRequestController.cs
View File

@ -217,11 +217,11 @@ namespace Milimoe.FunGame.Server.Controller
}
if (roomid != "-1" && SQLHelper != null)
{
SQLHelper.Execute(RoomQuery.Insert_CreateRoom(roomid, user.Id, type, gamemodule, gamemap, isrank, password, maxusers));
SQLHelper.Execute(RoomQuery.Insert_CreateRoom(SQLHelper, roomid, user.Id, type, gamemodule, gamemap, isrank, password, maxusers));
if (SQLHelper.Result == SQLResult.Success)
{
ServerHelper.WriteLine("[CreateRoom] Master: " + user.Username + " RoomID: " + roomid);
SQLHelper.ExecuteDataSet(RoomQuery.Select_IsExistRoom(roomid));
SQLHelper.ExecuteDataSet(RoomQuery.Select_IsExistRoom(SQLHelper, roomid));
if (SQLHelper.Result == SQLResult.Success && SQLHelper.DataSet.Tables[0].Rows.Count > 0)
{
room = Factory.GetRoom(SQLHelper.DataSet.Tables[0].Rows[0], user);
@ -283,7 +283,7 @@ namespace Milimoe.FunGame.Server.Controller
{
if (SQLHelper != null)
{
SQLHelper.ExecuteDataSet(RoomQuery.Select_IsExistRoom(roomid));
SQLHelper.ExecuteDataSet(RoomQuery.Select_IsExistRoom(SQLHelper, roomid));
if (SQLHelper.Success)
{
Config.RoomList.IntoRoom(roomid, Server.User);
@ -535,7 +535,7 @@ namespace Milimoe.FunGame.Server.Controller
if (verifycode.Trim() == "")
{
// 先检查账号是否重复
SQLHelper.ExecuteDataSet(UserQuery.Select_IsExistUsername(username));
SQLHelper.ExecuteDataSet(UserQuery.Select_IsExistUsername(SQLHelper, username));
if (SQLHelper.Result == SQLResult.Success)
{
ServerHelper.WriteLine(Server.GetClientName() + " 账号已被注册");
@ -545,7 +545,7 @@ namespace Milimoe.FunGame.Server.Controller
else
{
// 检查邮箱是否重复
SQLHelper.ExecuteDataSet(UserQuery.Select_IsExistEmail(email));
SQLHelper.ExecuteDataSet(UserQuery.Select_IsExistEmail(SQLHelper, email));
if (SQLHelper.Result == SQLResult.Success)
{
ServerHelper.WriteLine(Server.GetClientName() + " 邮箱已被注册");
@ -555,7 +555,7 @@ namespace Milimoe.FunGame.Server.Controller
else
{
// 检查验证码是否发送过
SQLHelper.ExecuteDataSet(RegVerifyCodes.Select_HasSentRegVerifyCode(username, email));
SQLHelper.ExecuteDataSet(RegVerifyCodes.Select_HasSentRegVerifyCode(SQLHelper, username, email));
if (SQLHelper.Result == SQLResult.Success)
{
DateTime RegTime = (DateTime)SQLHelper.DataSet.Tables[0].Rows[0][RegVerifyCodes.Column_RegTime];
@ -570,9 +570,9 @@ namespace Milimoe.FunGame.Server.Controller
{
// 发送验证码,需要先删除之前过期的验证码
SQLHelper.NewTransaction();
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(username, email));
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(SQLHelper, username, email));
_regVerify = Verification.CreateVerifyCode(VerifyCodeType.NumberVerifyCode, 6);
SQLHelper.Execute(RegVerifyCodes.Insert_RegVerifyCode(username, email, _regVerify));
SQLHelper.Execute(RegVerifyCodes.Insert_RegVerifyCode(SQLHelper, username, email, _regVerify));
if (SQLHelper.Result == SQLResult.Success)
{
SQLHelper.Commit();
@ -607,7 +607,7 @@ namespace Milimoe.FunGame.Server.Controller
else
{
// 先检查验证码
SQLHelper.ExecuteDataSet(RegVerifyCodes.Select_RegVerifyCode(username, email, verifycode));
SQLHelper.ExecuteDataSet(RegVerifyCodes.Select_RegVerifyCode(SQLHelper, username, email, verifycode));
if (SQLHelper.Result == SQLResult.Success)
{
// 检查验证码是否过期
@ -616,7 +616,7 @@ namespace Milimoe.FunGame.Server.Controller
{
ServerHelper.WriteLine(Server.GetClientName() + " 验证码已过期");
msg = "此验证码已过期,请重新注册。";
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(username, email));
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(SQLHelper, username, email));
}
else
{
@ -625,12 +625,12 @@ namespace Milimoe.FunGame.Server.Controller
{
SQLHelper.NewTransaction();
ServerHelper.WriteLine("[Reg] Username: " + username + " Email: " + email);
SQLHelper.Execute(UserQuery.Insert_Register(username, password, email, Server.Socket?.ClientIP ?? ""));
SQLHelper.Execute(UserQuery.Insert_Register(SQLHelper, username, password, email, Server.Socket?.ClientIP ?? ""));
if (SQLHelper.Result == SQLResult.Success)
{
success = true;
msg = "注册成功!请牢记您的账号与密码!";
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(username, email));
SQLHelper.Execute(RegVerifyCodes.Delete_RegVerifyCode(SQLHelper, username, email));
SQLHelper.Commit();
}
else
@ -691,13 +691,13 @@ namespace Milimoe.FunGame.Server.Controller
ServerHelper.WriteLine("[" + DataRequestSet.GetTypeString(DataRequestType.Login_Login) + "] Username: " + username);
if (SQLHelper != null)
{
SQLHelper.ExecuteDataSet(UserQuery.Select_Users_LoginQuery(username, password));
SQLHelper.ExecuteDataSet(UserQuery.Select_Users_LoginQuery(SQLHelper, username, password));
if (SQLHelper.Result == SQLResult.Success)
{
DataSet dsUser = SQLHelper.DataSet;
if (autokey.Trim() != "")
{
SQLHelper.ExecuteDataSet(UserQuery.Select_CheckAutoKey(username, autokey));
SQLHelper.ExecuteDataSet(UserQuery.Select_CheckAutoKey(SQLHelper, username, autokey));
if (SQLHelper.Result == SQLResult.Success)
{
ServerHelper.WriteLine("[" + DataRequestSet.GetTypeString(DataRequestType.Login_Login) + "] AutoKey: 已确认");
@ -783,7 +783,7 @@ namespace Milimoe.FunGame.Server.Controller
// 先检查验证码
if (SQLHelper != null)
{
SQLHelper.ExecuteDataSet(ForgetVerifyCodes.Select_ForgetVerifyCode(username, email, verifycode));
SQLHelper.ExecuteDataSet(ForgetVerifyCodes.Select_ForgetVerifyCode(SQLHelper, username, email, verifycode));
if (SQLHelper.Result == SQLResult.Success)
{
// 检查验证码是否过期
@ -792,7 +792,7 @@ namespace Milimoe.FunGame.Server.Controller
{
ServerHelper.WriteLine(Server.GetClientName() + " 验证码已过期");
msg = "此验证码已过期,请重新找回密码。";
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(username, email));
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(SQLHelper, username, email));
}
else
{
@ -800,7 +800,7 @@ namespace Milimoe.FunGame.Server.Controller
if (_forgetVerify.Equals(SQLHelper.DataSet.Tables[0].Rows[0][ForgetVerifyCodes.Column_ForgetVerifyCode]))
{
ServerHelper.WriteLine("[ForgerPassword] Username: " + username + " Email: " + email);
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(username, email));
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(SQLHelper, username, email));
msg = "";
}
else msg = "验证码不正确,请重新输入!";
@ -814,7 +814,7 @@ namespace Milimoe.FunGame.Server.Controller
// 检查账号和邮箱是否匹配
if (SQLHelper != null)
{
SQLHelper.ExecuteDataSet(UserQuery.Select_CheckEmailWithUsername(username, email));
SQLHelper.ExecuteDataSet(UserQuery.Select_CheckEmailWithUsername(SQLHelper, username, email));
if (SQLHelper.Result != SQLResult.Success)
{
msg = "此邮箱未绑定此账号,请重试!";
@ -822,13 +822,13 @@ namespace Milimoe.FunGame.Server.Controller
else
{
// 检查验证码是否发送过和是否过期
SQLHelper.ExecuteDataSet(ForgetVerifyCodes.Select_HasSentForgetVerifyCode(username, email));
SQLHelper.ExecuteDataSet(ForgetVerifyCodes.Select_HasSentForgetVerifyCode(SQLHelper, username, email));
if (SQLHelper.Result != SQLResult.Success || (DateTime.Now - ((DateTime)SQLHelper.DataSet.Tables[0].Rows[0][ForgetVerifyCodes.Column_SendTime])).TotalMinutes >= 10)
{
// 发送验证码,需要先删除之前过期的验证码
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(username, email));
SQLHelper.Execute(ForgetVerifyCodes.Delete_ForgetVerifyCode(SQLHelper, username, email));
_forgetVerify = Verification.CreateVerifyCode(VerifyCodeType.NumberVerifyCode, 6);
SQLHelper.Execute(ForgetVerifyCodes.Insert_ForgetVerifyCode(username, email, _forgetVerify));
SQLHelper.Execute(ForgetVerifyCodes.Insert_ForgetVerifyCode(SQLHelper, username, email, _forgetVerify));
if (SQLHelper.Result == SQLResult.Success)
{
if (MailSender != null)
@ -885,7 +885,7 @@ namespace Milimoe.FunGame.Server.Controller
string password = DataRequest.GetDictionaryJsonObject<string>(requestData, UserQuery.Column_Password) ?? "";
if (username.Trim() != "" && password.Trim() != "")
{
Server.SQLHelper?.Execute(UserQuery.Update_Password(username, password));
SQLHelper?.Execute(UserQuery.Update_Password(SQLHelper, username, password));
if (SQLHelper?.Success ?? false)
{
// 更新成功返回空值

8
FunGame.Server/Models/ServerModel.cs
View File

@ -324,7 +324,7 @@ namespace Milimoe.FunGame.Server.Model
{
User NewMaster = users[0];
Room.RoomMaster = NewMaster;
SQLHelper?.Execute(RoomQuery.Update_QuitRoom(roomid, User.Id, NewMaster.Id));
SQLHelper?.Execute(RoomQuery.Update_QuitRoom(SQLHelper, roomid, User.Id, NewMaster.Id));
this.InRoom = General.HallInstance;
await UpdateRoomMaster(Room, true);
result = true;
@ -332,7 +332,7 @@ namespace Milimoe.FunGame.Server.Model
else // 没人了就解散房间
{
Config.RoomList.RemoveRoom(roomid);
SQLHelper?.Execute(RoomQuery.Delete_QuitRoom(roomid, User.Id));
SQLHelper?.Execute(RoomQuery.Delete_QuitRoom(SQLHelper, roomid, User.Id));
this.InRoom = General.HallInstance;
ServerHelper.WriteLine("[ " + GetClientName() + " ] 解散了房间 " + roomid);
result = true;
@ -399,7 +399,7 @@ namespace Milimoe.FunGame.Server.Model
ServerHelper.WriteLine("OnlinePlayers: 玩家 " + User.Username + " 已添加");
// 更新最后登录时间、IP地址
_loginTime = DateTime.Now.Ticks;
SQLHelper?.Execute(UserQuery.Update_CheckLogin(_username, Socket?.ClientIP.Split(':')[0] ?? "127.0.0.1"));
SQLHelper?.Execute(UserQuery.Update_CheckLogin(SQLHelper, _username, Socket?.ClientIP.Split(':')[0] ?? "127.0.0.1"));
return true;
}
return false;
@ -411,7 +411,7 @@ namespace Milimoe.FunGame.Server.Model
{
_logoutTime = DateTime.Now.Ticks;
int TotalMinutes = Convert.ToInt32((new DateTime(_logoutTime) - new DateTime(_loginTime)).TotalMinutes);
SQLHelper?.Execute(UserQuery.Update_GameTime(User.Username, TotalMinutes));
SQLHelper?.Execute(UserQuery.Update_GameTime(SQLHelper, User.Username, TotalMinutes));
if (SQLHelper != null && SQLHelper.Result == SQLResult.Success)
{
ServerHelper.WriteLine("OnlinePlayers: 玩家 " + User.Username + " 本次已游玩" + TotalMinutes + "分钟");

4
FunGame.Server/Others/FunGameSystem.cs
View File

@ -186,7 +186,7 @@ namespace Milimoe.FunGame.Server.Others
/// </summary>
public static void ServerLogin(SQLHelper sqlHelper)
{
sqlHelper.Execute(ServerLoginLogs.Insert_ServerLoginLogs(Config.ServerName, Config.ServerKey));
sqlHelper.Execute(ServerLoginLogs.Insert_ServerLoginLogs(sqlHelper, Config.ServerName, Config.ServerKey));
}
/// <summary>
@ -194,7 +194,7 @@ namespace Milimoe.FunGame.Server.Others
/// </summary>
public static void ClearRoomList(SQLHelper sqlHelper)
{
sqlHelper.Execute(RoomQuery.Delete_Rooms());
sqlHelper.Execute(RoomQuery.Delete_Rooms(sqlHelper));
}
/// <summary>

16
FunGame.Server/Utilities/MySQL/MySQLHelper.cs
View File

@ -16,6 +16,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
public override SQLServerInfo ServerInfo => _serverInfo ?? SQLServerInfo.Create();
public override int UpdateRows => _updateRows;
public override DataSet DataSet => _dataSet;
public override Dictionary<string, object> Parameters { get; } = [];
private readonly string _connectionString = "";
private MySqlConnection? _connection;
@ -90,11 +91,16 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
NewTransaction();
}
OpenConnection();
Script = script;
ServerHelper.WriteLine("SQLQuery -> " + script, InvokeMessageType.Api);
using MySqlCommand command = new(script, _connection);
command.CommandType = CommandType;
foreach (KeyValuePair<string, object> param in Parameters)
{
command.Parameters.AddWithValue(param.Key, param.Value);
}
if (_transaction != null) command.Transaction = _transaction;
_updateRows = command.ExecuteNonQuery();
@ -110,6 +116,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
finally
{
if (localTransaction) Close();
Parameters.Clear();
}
return UpdateRows;
}
@ -138,6 +145,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
NewTransaction();
}
OpenConnection();
Script = script;
ServerHelper.WriteLine("SQLQuery -> " + script, InvokeMessageType.Api);
@ -146,6 +154,11 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
CommandType = CommandType
};
foreach (KeyValuePair<string, object> param in Parameters)
{
command.Parameters.AddWithValue(param.Key, param.Value);
}
if (_transaction != null) command.Transaction = _transaction;
MySqlDataAdapter adapter = new()
{
@ -155,6 +168,8 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
adapter.Fill(_dataSet);
if (localTransaction) Commit();
_result = _dataSet.Tables.Cast<DataTable>().Any(table => table.Rows.Count > 0) ? SQLResult.Success : SQLResult.NotFound;
}
catch (Exception e)
{
@ -165,6 +180,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
finally
{
if (localTransaction) Close();
Parameters.Clear();
}
return _dataSet;
}

24
FunGame.Server/Utilities/SQLite/SQLiteHelper.cs
View File

@ -16,6 +16,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
public override SQLServerInfo ServerInfo => _serverInfo ?? SQLServerInfo.Create();
public override int UpdateRows => _updateRows;
public override DataSet DataSet => _dataSet;
public override Dictionary<string, object> Parameters { get; } = [];
private readonly string _connectionString = "";
private SqliteConnection? _connection;
@ -88,11 +89,16 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
NewTransaction();
}
OpenConnection();
Script = script;
ServerHelper.WriteLine("SQLQuery -> " + script, InvokeMessageType.Api);
using SqliteCommand command = new(script, _connection);
command.CommandType = CommandType;
foreach (KeyValuePair<string, object> param in Parameters)
{
command.Parameters.AddWithValue(param.Key, param.Value);
}
if (_transaction != null) command.Transaction = _transaction;
_updateRows = command.ExecuteNonQuery();
@ -108,6 +114,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
finally
{
if (localTransaction) Close();
Parameters.Clear();
}
return UpdateRows;
}
@ -126,7 +133,6 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
/// </summary>
/// <param name="script"></param>
/// <returns></returns>
/// <exception cref="Exception"></exception>
public override DataSet ExecuteDataSet(string script)
{
bool localTransaction = _transaction == null;
@ -137,6 +143,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
NewTransaction();
}
OpenConnection();
Script = script;
ServerHelper.WriteLine("SQLQuery -> " + script, InvokeMessageType.Api);
@ -144,12 +151,24 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
{
CommandType = CommandType
};
foreach (KeyValuePair<string, object> param in Parameters)
{
command.Parameters.AddWithValue(param.Key, param.Value);
}
if (_transaction != null) command.Transaction = _transaction;
using SqliteDataReader reader = command.ExecuteReader();
_dataSet = new();
do
{
DataTable table = new();
table.Load(reader);
_dataSet.Tables.Add(table);
} while (reader.NextResult());
if (localTransaction) Commit();
_result = _dataSet.Tables.Cast<DataTable>().Any(table => table.Rows.Count > 0) ? SQLResult.Success : SQLResult.NotFound;
}
catch (Exception e)
{
@ -160,6 +179,7 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
finally
{
if (localTransaction) Close();
Parameters.Clear();
}
return _dataSet;
}
@ -179,7 +199,6 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
/// <summary>
/// 提交事务
/// </summary>
/// <exception cref="Exception"></exception>
public override void Commit()
{
try
@ -197,7 +216,6 @@ namespace Milimoe.FunGame.Server.Utility.DataUtility
/// <summary>
/// 回滚事务
/// </summary>
/// <exception cref="Exception"></exception>
public override void Rollback()
{
try

2
FunGame.WebAPI/Controllers/UserController.cs
View File

@ -39,7 +39,7 @@ namespace Milimoe.FunGame.WebAPI.Controllers
// 创建User对象
if (model.SQLHelper != null)
{
model.SQLHelper.ExecuteDataSet(UserQuery.Select_Users_LoginQuery(username, password));
model.SQLHelper.ExecuteDataSet(UserQuery.Select_Users_LoginQuery(model.SQLHelper, username, password));
Core.Entity.User user = Factory.GetUser(model.SQLHelper?.DataSet ?? new());
if (user.Id != 0)
{