mangos-mirror/server
0
0
Fork 0
mirror of https://github.com/mangosfour/server.git synced 2025-12-12 10:37:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[11863] Fix possible SQL injection for .tele add command. Close pull request #22

Browse source 
Signed-off-by: Schmoozerd <schmoozerd@scriptdev2.com>
This commit is contained in:
Vinolentus 2011-10-20 20:57:56 +04:00 committed by Schmoozerd
parent 396ce3b71d
commit ad5755f8ef
2 changed files with 12 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/game/ObjectMgr.cpp
View file

@ -8062,22 +8062,27 @@ bool ObjectMgr::AddGameTele(GameTele& tele)
{
// find max id
uint32 new_id = 0;
for(GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
if(itr->first > new_id)
for (GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
if (itr->first > new_id)
new_id = itr->first;
// use next
++new_id;
if(!Utf8toWStr(tele.name,tele.wnameLow))
if (!Utf8toWStr(tele.name, tele.wnameLow))
return false;
wstrToLower( tele.wnameLow );
wstrToLower(tele.wnameLow);
m_GameTeleMap[new_id] = tele;
std::string safeName(tele.name);
WorldDatabase.escape_string(safeName);
return WorldDatabase.PExecuteLog("INSERT INTO game_tele (id,position_x,position_y,position_z,orientation,map,name) VALUES (%u,%f,%f,%f,%f,%u,'%s')",
new_id, tele.position_x, tele.position_y, tele.position_z, tele.orientation, tele.mapId, tele.name.c_str());
return WorldDatabase.PExecuteLog("INSERT INTO game_tele "
"(id,position_x,position_y,position_z,orientation,map,name) "
"VALUES (%u,%f,%f,%f,%f,%u,'%s')",
new_id, tele.position_x, tele.position_y, tele.position_z,
tele.orientation, tele.mapId, safeName.c_str());
}
bool ObjectMgr::DeleteGameTele(const std::string& name)