From 607380e59c681fff26ff08b671ebd8b26bbbfad6 Mon Sep 17 00:00:00 2001
From: Xephi <xephirot59@gmail.com>
Date: Sat, 9 Jan 2016 21:30:13 +0100
Subject: [PATCH] Use PreparedStatement in all case needed it - #308

---
 .../fr/xephi/authme/datasource/MySQL.java     | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/main/java/fr/xephi/authme/datasource/MySQL.java b/src/main/java/fr/xephi/authme/datasource/MySQL.java
index 23781e2f7..d2ef3b1f5 100644
--- a/src/main/java/fr/xephi/authme/datasource/MySQL.java
+++ b/src/main/java/fr/xephi/authme/datasource/MySQL.java
@@ -627,15 +627,18 @@ public class MySQL implements DataSource {
     public synchronized List<String> autoPurgeDatabase(long until) {
         List<String> list = new ArrayList<>();
         try (Connection con = getConnection()) {
-            String sql = "SELECT " + columnName + " FROM " + tableName + " WHERE " + columnLastLogin + "<" + until;
-            Statement st = con.createStatement();
-            ResultSet rs = st.executeQuery(sql);
+            String sql = "SELECT " + columnName + " FROM " + tableName + " WHERE " + columnLastLogin + "<?;";
+            PreparedStatement st = con.prepareStatement(sql);
+            st.setLong(1, until);
+            ResultSet rs = st.executeQuery();
             while (rs.next()) {
                 list.add(rs.getString(columnName));
             }
             rs.close();
-            sql = "DELETE FROM " + tableName + " WHERE " + columnLastLogin + "<" + until;
-            st.executeUpdate(sql);
+            sql = "DELETE FROM " + tableName + " WHERE " + columnLastLogin + "<?:";
+            st = con.prepareStatement(sql);
+            st.setLong(1, until);
+            st.executeUpdate();
             st.close();
         } catch (SQLException ex) {
             ConsoleLogger.showError(ex.getMessage());
@@ -657,9 +660,10 @@ public class MySQL implements DataSource {
                 ResultSet rs = pst.executeQuery();
                 if (rs.next()) {
                     int id = rs.getInt(columnID);
-                    sql = "DELETE FROM xf_user_authenticate WHERE " + columnID + "=" + id;
-                    Statement st = con.createStatement();
-                    st.executeUpdate(sql);
+                    sql = "DELETE FROM xf_user_authenticate WHERE " + columnID + "=?;";
+                    PreparedStatement st = con.prepareStatement(sql);
+                    st.setInt(1, id);
+                    st.executeUpdate();
                     st.close();
                 }
                 rs.close();