From a230426162c190b0e4e380704c3e3f31d431e39a Mon Sep 17 00:00:00 2001 From: Yohann Ferreira Date: Thu, 16 Dec 2010 19:58:36 +0100 Subject: Use bound values for Storage::flush() since it leaked sensitive info. (Readable in the log with debug level.) Reviewed-by: Jaxad0127. --- src/account-server/storage.cpp | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'src/account-server/storage.cpp') diff --git a/src/account-server/storage.cpp b/src/account-server/storage.cpp index add60841..bb267d65 100644 --- a/src/account-server/storage.cpp +++ b/src/account-server/storage.cpp @@ -848,13 +848,25 @@ void Storage::flush(Account *account) std::ostringstream sqlUpdateAccountTable; sqlUpdateAccountTable << "update " << ACCOUNTS_TBL_NAME - << " set username = '" << account->getName() << "', " - << "password = '" << account->getPassword() << "', " - << "email = '" << account->getEmail() << "', " - << "level = '" << account->getLevel() << "', " - << "lastlogin = '" << account->getLastLogin() << "' " - << "where id = '" << account->getID() << "';"; - mDb->execSql(sqlUpdateAccountTable.str()); + << " set username = '?', password = '?', email = '?', " + << "level = '?', lastlogin = '?' where id = '?';"; + + if (mDb->prepareSql(sqlUpdateAccountTable.str())) + { + mDb->bindValue(1, account->getName()); + mDb->bindValue(2, account->getPassword()); + mDb->bindValue(3, account->getEmail()); + mDb->bindValue(4, account->getLevel()); + mDb->bindValue(5, account->getLastLogin()); + mDb->bindValue(6, account->getID()); + + mDb->processSql(); + } + else + { + utils::throwError("(DALStorage::flush) " + "SQL preparation query failure."); + } // Get the list of characters that belong to this account. Characters &characters = account->getCharacters(); -- cgit v1.2.3-60-g2f50