Use bound values for Storage::flush() since it leaked sensitive info.

(Readable in the log with debug level.) Reviewed-by: Jaxad0127.
author: Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer> 2010-12-16 19:58:36 +0100
committer: Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer> 2010-12-16 19:58:36 +0100
commit: a230426162c190b0e4e380704c3e3f31d431e39a (patch)
tree: 23158e38e2dca0d73de34ad82048046f5fe0e3f3 /src/account-server/storage.cpp
parent: 028d86a17d211a0790a1831474773644be2e97ed (diff)
download: manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.gz
manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.bz2
manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.xz
manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.zip
1 files changed, 19 insertions, 7 deletions
diff --git a/src/account-server/storage.cpp b/src/account-server/storage.cpp
index add60841..bb267d65 100644
--- a/src/account-server/storage.cpp
+++ b/src/account-server/storage.cpp
@@ -848,13 +848,25 @@ void Storage::flush(Account *account)
         std::ostringstream sqlUpdateAccountTable;
         sqlUpdateAccountTable
              << "update " << ACCOUNTS_TBL_NAME
-             << " set username = '" << account->getName() << "', "
-             << "password = '" << account->getPassword() << "', "
-             << "email = '" << account->getEmail() << "', "
-             << "level = '" << account->getLevel() << "', "
-             << "lastlogin = '" << account->getLastLogin() << "' "
-             << "where id = '" << account->getID() << "';";
-        mDb->execSql(sqlUpdateAccountTable.str());
+             << " set username = '?', password = '?', email = '?', "
+             << "level = '?', lastlogin = '?' where id = '?';";
+
+        if (mDb->prepareSql(sqlUpdateAccountTable.str()))
+        {
+            mDb->bindValue(1, account->getName());
+            mDb->bindValue(2, account->getPassword());
+            mDb->bindValue(3, account->getEmail());
+            mDb->bindValue(4, account->getLevel());
+            mDb->bindValue(5, account->getLastLogin());
+            mDb->bindValue(6, account->getID());
+
+            mDb->processSql();
+        }
+        else
+        {
+            utils::throwError("(DALStorage::flush) "
+                              "SQL preparation query failure.");
+        }
 
         // Get the list of characters that belong to this account.
         Characters &characters = account->getCharacters();
author	Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer>	2010-12-16 19:58:36 +0100
committer	Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer>	2010-12-16 19:58:36 +0100
commit	a230426162c190b0e4e380704c3e3f31d431e39a (patch)
tree	23158e38e2dca0d73de34ad82048046f5fe0e3f3 /src/account-server/storage.cpp
parent	028d86a17d211a0790a1831474773644be2e97ed (diff)
download	manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.gz manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.bz2 manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.tar.xz manaserv-a230426162c190b0e4e380704c3e3f31d431e39a.zip