2 files changed, 36 insertions, 17 deletions

diff --git a/src/server/worldserver/CommandLine/CliRunnable.cpp b/src/server/worldserver/CommandLine/CliRunnable.cpp
index 8e04a9c2f34..0721515ea73 100755
--- a/src/server/worldserver/CommandLine/CliRunnable.cpp
+++ b/src/server/worldserver/CommandLine/CliRunnable.cpp
@@ -125,29 +125,44 @@ void commandFinished(void*, bool /*success*/)
  */
 bool ChatHandler::GetDeletedCharacterInfoList(DeletedInfoList& foundList, std::string searchString)
 {
-    QueryResult resultChar;
+    PreparedQueryResult result;
+    PreparedStatement* stmt;
     if (!searchString.empty())
     {
         // search by GUID
         if (isNumeric(searchString.c_str()))
-            resultChar = CharacterDatabase.PQuery("SELECT guid, deleteInfos_Name, deleteInfos_Account, deleteDate FROM characters WHERE deleteDate IS NOT NULL AND guid = %u", uint64(atoi(searchString.c_str())));
+        {
+            stmt = CharacterDatabase.GetPreparedStatement(CHAR_SEL_CHAR_DEL_INFO_BY_GUID);
+
+            stmt->setUInt32(0, uint32(atoi(searchString.c_str())));
+
+            result = CharacterDatabase.Query(stmt);
+        }
         // search by name
         else
         {
             if (!normalizePlayerName(searchString))
                 return false;
 
-            resultChar = CharacterDatabase.PQuery("SELECT guid, deleteInfos_Name, deleteInfos_Account, deleteDate FROM characters WHERE deleteDate IS NOT NULL AND deleteInfos_Name " _LIKE_ " " _CONCAT3_("'%%'", "'%s'", "'%%'"), searchString.c_str());
+            stmt = CharacterDatabase.GetPreparedStatement(CHAR_SEL_CHAR_DEL_INFO_BY_NAME);
+
+            stmt->setString(0, searchString);
+
+            result = CharacterDatabase.Query(stmt);
         }
     }
     else
-        resultChar = CharacterDatabase.Query("SELECT guid, deleteInfos_Name, deleteInfos_Account, deleteDate FROM characters WHERE deleteDate IS NOT NULL");
+    {
+        stmt = CharacterDatabase.GetPreparedStatement(CHAR_SEL_CHAR_DEL_INFO);
+
+        result = CharacterDatabase.Query(stmt);
+    }
 
-    if (resultChar)
+    if (result)
     {
         do
         {
-            Field* fields = resultChar->Fetch();
+            Field* fields = result->Fetch();
 
             DeletedInfo info;
 
@@ -161,7 +176,7 @@ bool ChatHandler::GetDeletedCharacterInfoList(DeletedInfoList& foundList, std::s
             info.deleteDate = time_t(fields[3].GetUInt32());
 
             foundList.push_back(info);
-        } while (resultChar->NextRow());
+        } while (result->NextRow());
     }
 
     return true;
diff --git a/src/server/worldserver/RemoteAccess/RASocket.cpp b/src/server/worldserver/RemoteAccess/RASocket.cpp
index e5637d282c6..d7b366a2e2a 100755
--- a/src/server/worldserver/RemoteAccess/RASocket.cpp
+++ b/src/server/worldserver/RemoteAccess/RASocket.cpp
@@ -174,12 +174,15 @@ int RASocket::process_command(const std::string& command)
 
 int RASocket::check_access_level(const std::string& user)
 {
-    std::string safe_user = user;
+    std::string safeUser = user;
+
+    AccountMgr::normalizeString(safeUser);
+
 
-    AccountMgr::normalizeString(safe_user);
-    LoginDatabase.EscapeString(safe_user);
 
-    QueryResult result = LoginDatabase.PQuery("SELECT a.id, aa.gmlevel, aa.RealmID FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE a.username = '%s'", safe_user.c_str());
+    PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_ACCESS);
+    stmt->setString(0, safeUser);
+    PreparedQueryResult result = LoginDatabase.Query(stmt);
 
     if (!result)
     {
@@ -207,19 +210,20 @@ int RASocket::check_password(const std::string& user, const std::string& pass)
 {
     std::string safe_user = user;
     AccountMgr::normalizeString(safe_user);
-    LoginDatabase.EscapeString(safe_user);
 
     std::string safe_pass = pass;
     AccountMgr::normalizeString(safe_pass);
-    LoginDatabase.EscapeString(safe_pass);
 
     std::string hash = AccountMgr::CalculateShaPassHash(safe_user, safe_pass);
 
-    QueryResult check = LoginDatabase.PQuery(
-            "SELECT 1 FROM account WHERE username = '%s' AND sha_pass_hash = '%s'",
-            safe_user.c_str(), hash.c_str());
+    PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_CHECK_PASSWORD_BY_NAME);
 
-    if (!check)
+    stmt->setString(0, safe_user);
+    stmt->setString(1, hash);
+
+    PreparedQueryResult result = LoginDatabase.Query(stmt);
+
+    if (!result)
     {
         sLog->outRemote("Wrong password for user: %s", user.c_str());
         return -1;