diff options
| author | Andrei Karas <akaras@inbox.ru> | 2016-08-16 01:12:36 +0300 |
|---|---|---|
| committer | Andrei Karas <akaras@inbox.ru> | 2016-08-16 02:07:50 +0300 |
| commit | 85f49b33cfaf24984684a7beb9e7917c48b23f13 (patch) | |
| tree | 94e39b9181ccfff35a001ed8c8cf451f950b4bba /src/char/inter.c | |
| parent | a737812d7ceadb8ee02dae88131b968f459c0fe3 (diff) | |
| download | hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.gz hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.bz2 hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.tar.xz hercules-85f49b33cfaf24984684a7beb9e7917c48b23f13.zip | |
Add missing escaping for saved player strings into db.
Diffstat (limited to 'src/char/inter.c')
| -rw-r--r-- | src/char/inter.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/char/inter.c b/src/char/inter.c index 756ae32c7..5fb35e6aa 100644 --- a/src/char/inter.c +++ b/src/char/inter.c @@ -572,6 +572,7 @@ void mapif_parse_accinfo2(bool success, int map_fd, int u_fd, int u_aid, int acc **/ void inter_savereg(int account_id, int char_id, const char *key, unsigned int index, intptr_t val, bool is_string) { + char val_esq[1000]; nullpo_retv(key); /* to login server we go! */ if( key[0] == '#' && key[1] == '#' ) {/* global account reg */ @@ -583,7 +584,8 @@ void inter_savereg(int account_id, int char_id, const char *key, unsigned int in } else if ( key[0] == '#' ) {/* local account reg */ if( is_string ) { if( val ) { - if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`account_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", acc_reg_str_db, account_id, key, index, (char*)val) ) + SQL->EscapeString(inter->sql_handle, val_esq, (char*)val); + if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`account_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", acc_reg_str_db, account_id, key, index, val_esq) ) Sql_ShowDebug(inter->sql_handle); } else { if( SQL_ERROR == SQL->Query(inter->sql_handle, "DELETE FROM `%s` WHERE `account_id` = '%d' AND `key` = '%s' AND `index` = '%u' LIMIT 1", acc_reg_str_db, account_id, key, index) ) @@ -601,7 +603,8 @@ void inter_savereg(int account_id, int char_id, const char *key, unsigned int in } else { /* char reg */ if( is_string ) { if( val ) { - if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`char_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", char_reg_str_db, char_id, key, index, (char*)val) ) + SQL->EscapeString(inter->sql_handle, val_esq, (char*)val); + if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`char_id`,`key`,`index`,`value`) VALUES ('%d','%s','%u','%s')", char_reg_str_db, char_id, key, index, val_esq) ) Sql_ShowDebug(inter->sql_handle); } else { if( SQL_ERROR == SQL->Query(inter->sql_handle, "DELETE FROM `%s` WHERE `char_id` = '%d' AND `key` = '%s' AND `index` = '%u' LIMIT 1", char_reg_str_db, char_id, key, index) ) |