[11863] Fix possible SQL injection for .tele add command. Close pull request #22

Signed-off-by: Schmoozerd <schmoozerd@scriptdev2.com>
2025-12-13 04:37:00 +00:00 · 2011-10-20 20:57:56 +04:00 · 2011-10-20 20:57:56 +04:00 · ad5755f8ef
commit ad5755f8ef
parent 396ce3b71d
2 changed files with 12 additions and 7 deletions
--- a/src/game/ObjectMgr.cpp
+++ b/src/game/ObjectMgr.cpp
@ -8062,22 +8062,27 @@ bool ObjectMgr::AddGameTele(GameTele& tele)
 {
    // find max id
    uint32 new_id = 0;
-    for(GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
+    for (GameTeleMap::const_iterator itr = m_GameTeleMap.begin(); itr != m_GameTeleMap.end(); ++itr)
-        if(itr->first > new_id)
+        if (itr->first > new_id)
            new_id = itr->first;
    // use next
    ++new_id;
-    if(!Utf8toWStr(tele.name,tele.wnameLow))
+    if (!Utf8toWStr(tele.name, tele.wnameLow))
        return false;
-    wstrToLower( tele.wnameLow );
+    wstrToLower(tele.wnameLow);
    m_GameTeleMap[new_id] = tele;
    std::string safeName(tele.name);
    WorldDatabase.escape_string(safeName);
-    return WorldDatabase.PExecuteLog("INSERT INTO game_tele (id,position_x,position_y,position_z,orientation,map,name) VALUES (%u,%f,%f,%f,%f,%u,'%s')",
+    return WorldDatabase.PExecuteLog("INSERT INTO game_tele "
-        new_id, tele.position_x, tele.position_y, tele.position_z, tele.orientation, tele.mapId, tele.name.c_str());
+        "(id,position_x,position_y,position_z,orientation,map,name) "
        "VALUES (%u,%f,%f,%f,%f,%u,'%s')",
        new_id, tele.position_x, tele.position_y, tele.position_z,
        tele.orientation, tele.mapId, safeName.c_str());
 }
 bool ObjectMgr::DeleteGameTele(const std::string& name)
--- a/src/shared/revision_nr.h
+++ b/src/shared/revision_nr.h
@ -1,4 +1,4 @@
 #ifndef __REVISION_NR_H__
 #define __REVISION_NR_H__
- #define REVISION_NR "11862"
+ #define REVISION_NR "11863"
 #endif // __REVISION_NR_H__