Prevent SQL injection in Player::_SaveEquipmentSets()

--HG-- branch : trunk
author: Machiavelli <none@none> 2010-05-13 18:25:32 +0200
committer: Machiavelli <none@none> 2010-05-13 18:25:32 +0200
commit: f286f583fc211582d5dcf44648f300dc880040cc (patch)
tree: 3f31333497bb3911a6efdc7646efda969baf19bb /src/game/Player.cpp
parent: bf9d8f94234dd5995d80823f8cd1c96ac0e06cca (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/game/Player.cpp b/src/game/Player.cpp
index 60086e612a9..454e943a61a 100644
--- a/src/game/Player.cpp
+++ b/src/game/Player.cpp
@@ -23298,6 +23298,8 @@ void Player::_SaveEquipmentSets()
                 ++itr;
                 break;                                      // nothing do
             case EQUIPMENT_SET_CHANGED:
+                CharacterDatabase.escape_string(eqset.Name);
+                CharacterDatabase.escape_string(eqset.IconName);
                 CharacterDatabase.PExecute("UPDATE character_equipmentsets SET name='%s', iconname='%s', item0='%u', item1='%u', item2='%u', item3='%u', item4='%u', item5='%u', item6='%u', item7='%u', item8='%u', item9='%u', item10='%u', item11='%u', item12='%u', item13='%u', item14='%u', item15='%u', item16='%u', item17='%u', item18='%u' WHERE guid='%u' AND setguid='"UI64FMTD"' AND setindex='%u'",
                     eqset.Name.c_str(), eqset.IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
                     eqset.Items[8], eqset.Items[9], eqset.Items[10], eqset.Items[11], eqset.Items[12], eqset.Items[13], eqset.Items[14], eqset.Items[15], eqset.Items[16], eqset.Items[17], eqset.Items[18], GetGUIDLow(), eqset.Guid, index);
@@ -23305,6 +23307,8 @@ void Player::_SaveEquipmentSets()
                 ++itr;
                 break;
             case EQUIPMENT_SET_NEW:
+                CharacterDatabase.escape_string(eqset.Name);
+                CharacterDatabase.escape_string(eqset.IconName);
                 CharacterDatabase.PExecute("INSERT INTO character_equipmentsets VALUES ('%u', '"UI64FMTD"', '%u', '%s', '%s', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u')",
                     GetGUIDLow(), eqset.Guid, index, eqset.Name.c_str(), eqset.IconName.c_str(), eqset.Items[0], eqset.Items[1], eqset.Items[2], eqset.Items[3], eqset.Items[4], eqset.Items[5], eqset.Items[6], eqset.Items[7],
                     eqset.Items[8], eqset.Items[9], eqset.Items[10], eqset.Items[11], eqset.Items[12], eqset.Items[13], eqset.Items[14], eqset.Items[15], eqset.Items[16], eqset.Items[17], eqset.Items[18]);
author	Machiavelli <none@none>	2010-05-13 18:25:32 +0200
committer	Machiavelli <none@none>	2010-05-13 18:25:32 +0200
commit	f286f583fc211582d5dcf44648f300dc880040cc (patch)
tree	3f31333497bb3911a6efdc7646efda969baf19bb /src/game/Player.cpp
parent	bf9d8f94234dd5995d80823f8cd1c96ac0e06cca (diff)