summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Karas <akaras@inbox.ru>2016-08-16 01:12:36 +0300
committerAndrei Karas <akaras@inbox.ru>2016-08-16 02:07:50 +0300
commit85f49b33cfaf24984684a7beb9e7917c48b23f13 (patch)
tree94e39b9181ccfff35a001ed8c8cf451f950b4bba
parenta737812d7ceadb8ee02dae88131b968f459c0fe3 (diff)
downloadhercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.gz
hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.bz2
hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.xz
hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.zip
Add missing escaping for saved player strings into db.
-rw-r--r--src/char/inter.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/char/inter.c b/src/char/inter.c
index 756ae32c7..5fb35e6aa 100644
--- a/src/char/inter.c
+++ b/src/char/inter.c
@@ -572,6 +572,7 @@ void mapif_parse_accinfo2(bool success, int map_fd, int u_fd, int u_aid, int acc
**/
void inter_savereg(int account_id, int char_id, const char *key, unsigned int index, intptr_t val, bool is_string)
{
+ char val_esq[1000];
nullpo_retv(key);
/* to login server we go! */
if( key[0] == '#' && key[1] == '#' ) {/* global account reg */
@@ -583,7 +584,8 @@ void inter_savereg(int account_id, int char_id, const char *key, unsigned int in
} else if ( key[0] == '#' ) {/* local account reg */
if( is_string ) {
if( val ) {
- if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`account_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", acc_reg_str_db, account_id, key, index, (char*)val) )
+ SQL->EscapeString(inter->sql_handle, val_esq, (char*)val);
+ if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`account_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", acc_reg_str_db, account_id, key, index, val_esq) )
Sql_ShowDebug(inter->sql_handle);
} else {
if( SQL_ERROR == SQL->Query(inter->sql_handle, "DELETE FROM `%s` WHERE `account_id` = '%d' AND `key` = '%s' AND `index` = '%u' LIMIT 1", acc_reg_str_db, account_id, key, index) )
@@ -601,7 +603,8 @@ void inter_savereg(int account_id, int char_id, const char *key, unsigned int in
} else { /* char reg */
if( is_string ) {
if( val ) {
- if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`char_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", char_reg_str_db, char_id, key, index, (char*)val) )
+ SQL->EscapeString(inter->sql_handle, val_esq, (char*)val);
+ if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`char_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", char_reg_str_db, char_id, key, index, val_esq) )
Sql_ShowDebug(inter->sql_handle);
} else {
if( SQL_ERROR == SQL->Query(inter->sql_handle, "DELETE FROM `%s` WHERE `char_id` = '%d' AND `key` = '%s' AND `index` = '%u' LIMIT 1", char_reg_str_db, char_id, key, index) )