From 201bf95ff530bc1d662b770c1c1649159d0d4306 Mon Sep 17 00:00:00 2001
From: mlus <1319237806@qq.com>
Date: Sun, 19 May 2024 12:39:11 +0800
Subject: [PATCH] security vulnerability fix

---
 .../java/vip/fubuki/playersync/sync/ChatSync.java     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/java/vip/fubuki/playersync/sync/ChatSync.java b/src/main/java/vip/fubuki/playersync/sync/ChatSync.java
index 767210d..93f0f7e 100644
--- a/src/main/java/vip/fubuki/playersync/sync/ChatSync.java
+++ b/src/main/java/vip/fubuki/playersync/sync/ChatSync.java
@@ -6,6 +6,8 @@
 import net.minecraftforge.fml.common.Mod;
 import vip.fubuki.playersync.util.JDBCsetUp;
 
+import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 
@@ -18,7 +20,14 @@ public static void register(){}
 
     @SubscribeEvent
     public static void onPlayerChat(net.minecraftforge.event.ServerChatEvent event) throws SQLException {
-        JDBCsetUp.executeUpdate("INSERT INTO chat (player, message, timestamp) VALUES ('" + event.getUsername() + "', '" + event.getRawText() + "', '" + current + "')");
+        String sql = "INSERT INTO chat (player, message, timestamp) VALUES (?, ?, ?)";
+        try (Connection connection = JDBCsetUp.getConnection();
+             PreparedStatement preparedStatement = connection.prepareStatement(sql)) {
+                preparedStatement.setString(1, event.getUsername());
+                preparedStatement.setString(2, event.getRawText());
+                preparedStatement.setLong(3, current);
+                preparedStatement.executeUpdate();
+        }
     }
 
     @SubscribeEvent