Issue

Currently all SQL queries are built using string concatenation, which makes the possibly vulnerable to SQLi attacks. Although an attack vector is currently not present, and I have not looked too deep into developing a payload, all queries should switch to using PreparedStatement s

Examples

Instances of this issue can be seen here:

https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L72
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L113
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L145
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L173
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L207
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L261
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L285
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L333
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L353
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L374
https://github.com/A5H73Y/Parkour/blob/master/src/main/java/io/github/a5h73y/parkour/database/ParkourDatabase.java#L392

Why is this an issue

This is an issue, as this offers any user able to exploit some kind of permission misconfiguration to obtain access to these commands, a path to escalation, from permission misconfig to SQLi, which can eventually lead to a full machine privilege escalation. Thus, this is quite a large issue and should be fixed immediately.

Fixed in 7.0.