mangos-mirror/server
0
0
Fork 0
mirror of https://github.com/mangosfour/server.git synced 2025-12-13 13:37:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[9909] Prevent SQL injection in equipment sets code.

Browse source 
Author of original verison: Machiavelli
This commit is contained in:
VladimirMangos 2010-05-16 05:23:15 +04:00
parent 92b7920cbb
commit df6bd3df30
2 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/game/Player.cpp
View file

@ -21700,19 +21700,33 @@ void Player::_SaveEquipmentSets()
++itr;
break; // nothing do
case EQUIPMENT_SET_CHANGED:
{
// prevent SQL injection
std::string db_IconName = eqset.IconName;
std::string db_Name = eqset.Name;
CharacterDatabase.escape_string(db_IconName);
CharacterDatabase.escape_string(db_Name);
CharacterDatabase.PExecute("UPDATE character_equipmentsets SET name='%s', iconname='%s', item0='%u', item1='%u', item2='%u', item3='%u', item4='%u', item5='%u', item6='%u', item7='%u', item8='%u', item9='%u', item10='%u', item11='%u', item12='%u', item13='%u', item14='%u', item15='%u', item16='%u', item17='%u', item18='%u' WHERE guid='%u' AND setguid='"UI64FMTD"' AND setindex='%u'",
eqset.Name.c_str(), eqset.IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
db_Name.c_str(), db_IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
eqset.Items[8], eqset.Items[9], eqset.Items[10], eqset.Items[11], eqset.Items[12], eqset.Items[13], eqset.Items[14], eqset.Items[15], eqset.Items[16], eqset.Items[17], eqset.Items[18], GetGUIDLow(), eqset.Guid, index);
eqset.state = EQUIPMENT_SET_UNCHANGED;
++itr;
break;
}
case EQUIPMENT_SET_NEW:
{
// prevent SQL injection
std::string db_IconName = eqset.IconName;
std::string db_Name = eqset.Name;
CharacterDatabase.escape_string(db_IconName);
CharacterDatabase.escape_string(db_Name);
CharacterDatabase.PExecute("INSERT INTO character_equipmentsets VALUES ('%u', '"UI64FMTD"', '%u', '%s', '%s', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u')",
GetGUIDLow(), eqset.Guid, index, eqset.Name.c_str(), eqset.IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
GetGUIDLow(), eqset.Guid, index, db_Name.c_str(), db_IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
eqset.Items[8], eqset.Items[9], eqset.Items[10], eqset.Items[11], eqset.Items[12], eqset.Items[13], eqset.Items[14], eqset.Items[15], eqset.Items[16], eqset.Items[17], eqset.Items[18]);
eqset.state = EQUIPMENT_SET_UNCHANGED;
++itr;
break;
}
case EQUIPMENT_SET_DELETED:
CharacterDatabase.PExecute("DELETE FROM character_equipmentsets WHERE setguid="UI64FMTD, eqset.Guid);
m_EquipmentSets.erase(itr++);