From ad5755f8ef094c038f98d19c7cb8767b56119a8b Mon Sep 17 00:00:00 2001
From: Vinolentus <655ff4c91d8e57f5@gmail.com>
Date: Thu, 20 Oct 2011 20:57:56 +0400
Subject: [PATCH] [11863] Fix possible SQL injection for .tele add command.
 Close pull request #22

Signed-off-by: Schmoozerd <schmoozerd@scriptdev2.com>
---
 src/game/ObjectMgr.cpp   | 17 +++++++++++------
 src/shared/revision_nr.h |  2 +-
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/game/ObjectMgr.cpp b/src/game/ObjectMgr.cpp
index d9318e381..efde0a311 100644
--- a/src/game/ObjectMgr.cpp
+++ b/src/game/ObjectMgr.cpp
@@ -8062,22 +8062,27 @@ bool ObjectMgr::AddGameTele(GameTele& tele)
 {
     // find max id
     uint32 new_id = 0;
-    for(GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
-        if(itr->first > new_id)
+    for (GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
+        if (itr->first > new_id)
             new_id = itr->first;
 
     // use next
     ++new_id;
 
-    if(!Utf8toWStr(tele.name,tele.wnameLow))
+    if (!Utf8toWStr(tele.name, tele.wnameLow))
         return false;
 
-    wstrToLower( tele.wnameLow );
+    wstrToLower(tele.wnameLow);
 
     m_GameTeleMap[new_id] = tele;
+    std::string safeName(tele.name);
+    WorldDatabase.escape_string(safeName);
 
-    return WorldDatabase.PExecuteLog("INSERT INTO game_tele (id,position_x,position_y,position_z,orientation,map,name) VALUES (%u,%f,%f,%f,%f,%u,'%s')",
-        new_id, tele.position_x, tele.position_y, tele.position_z, tele.orientation, tele.mapId, tele.name.c_str());
+    return WorldDatabase.PExecuteLog("INSERT INTO game_tele "
+        "(id,position_x,position_y,position_z,orientation,map,name) "
+        "VALUES (%u,%f,%f,%f,%f,%u,'%s')",
+        new_id, tele.position_x, tele.position_y, tele.position_z,
+        tele.orientation, tele.mapId, safeName.c_str());
 }
 
 bool ObjectMgr::DeleteGameTele(const std::string& name)
diff --git a/src/shared/revision_nr.h b/src/shared/revision_nr.h
index 421c601cf..eb63eb026 100644
--- a/src/shared/revision_nr.h
+++ b/src/shared/revision_nr.h
@@ -1,4 +1,4 @@
 #ifndef __REVISION_NR_H__
 #define __REVISION_NR_H__
- #define REVISION_NR "11862"
+ #define REVISION_NR "11863"
 #endif // __REVISION_NR_H__