From 917870695752295ec9c17ffbad746a0d99623257 Mon Sep 17 00:00:00 2001
From: Kenpachi Developer <Kenpachi.Developer@gmx.de>
Date: Mon, 6 Jul 2020 16:02:30 +0200
Subject: Adjust char_changecharsex() to use prepared statement

---
 src/char/char.c | 50 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/src/char/char.c b/src/char/char.c
index 13ddce616..6eb92ba3f 100644
--- a/src/char/char.c
+++ b/src/char/char.c
@@ -3550,21 +3550,51 @@ static void char_ask_name_ack(int fd, int acc, const char *name, int type, int r
 static int char_changecharsex(int char_id, int sex)
 {
 	int class = 0, guild_id = 0, account_id = 0;
-	char *data;
 
-	// get character data
-	if (SQL_ERROR == SQL->Query(inter->sql_handle, "SELECT `account_id`,`class`,`guild_id` FROM `%s` WHERE `char_id` = '%d'", char_db, char_id)) {
-		Sql_ShowDebug(inter->sql_handle);
+	struct SqlStmt *stmt = SQL->StmtMalloc(inter->sql_handle);
+
+	/** If we can't load the data, there's nothing to do. **/
+	if (stmt == NULL) {
+		SqlStmt_ShowDebug(stmt);
 		return 1;
 	}
-	if (SQL->NumRows(inter->sql_handle) != 1 || SQL_ERROR == SQL->NextRow(inter->sql_handle)) {
-		SQL->FreeResult(inter->sql_handle);
+
+	const char *query = "SELECT `account_id`, `class`, `guild_id` FROM `%s` WHERE `char_id`=?";
+
+	/** Abort changing gender if there was an error while loading the data. **/
+	if (SQL_ERROR == SQL->StmtPrepare(stmt, query, char_db)
+	    || SQL_ERROR == SQL->StmtBindParam(stmt, 0, SQLDT_INT32, &char_id, sizeof(char_id))
+	    || SQL_ERROR == SQL->StmtExecute(stmt)
+	    || SQL_ERROR == SQL->StmtBindColumn(stmt, 0, SQLDT_INT32, &account_id, sizeof(account_id), NULL, NULL)
+	    || SQL_ERROR == SQL->StmtBindColumn(stmt, 1, SQLDT_INT32, &class, sizeof(class), NULL, NULL)
+	    || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_INT32, &guild_id, sizeof(guild_id), NULL, NULL)) {
+		SqlStmt_ShowDebug(stmt);
+		SQL->StmtFree(stmt);
 		return 1;
 	}
-	SQL->GetData(inter->sql_handle, 0, &data, NULL); account_id = atoi(data);
-	SQL->GetData(inter->sql_handle, 1, &data, NULL); class = atoi(data);
-	SQL->GetData(inter->sql_handle, 2, &data, NULL); guild_id = atoi(data);
-	SQL->FreeResult(inter->sql_handle);
+
+	/** Abort changing gender if no character was found. **/
+	if (SQL->StmtNumRows(stmt) < 1) {
+		ShowError("char_changecharsex: Requested non-existant character! (ID: %d)\n", char_id);
+		SQL->StmtFree(stmt);
+		return 1;
+	}
+
+	/** Abort changing gender if more than one character was found. **/
+	if (SQL->StmtNumRows(stmt) > 1) {
+		ShowError("char_changecharsex: There are multiple characters with identical ID! (ID: %d)\n", char_id);
+		SQL->StmtFree(stmt);
+		return 1;
+	}
+
+	/** Abort changing gender if fetching the data fails. **/
+	if (SQL_ERROR == SQL->StmtNextRow(stmt)) {
+		SqlStmt_ShowDebug(stmt);
+		SQL->StmtFree(stmt);
+		return 1;
+	}
+
+	SQL->StmtFree(stmt);
 
 	char_change_sex_sub(sex, account_id, char_id, class, guild_id);
 
-- 
cgit v1.2.3-60-g2f50