UNLOZE/sourcemod
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed incorrect escaping in clientprefs SQLite queries (bug 3904, r+a12=pred).

Browse Source
This commit is contained in:
David Anderson 2009-08-10 22:16:58 -04:00
parent b11f597521
commit 008e98d980
3 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
extensions/clientprefs/query.cpp
View File

@ -175,7 +175,7 @@ bool TQueryOp::BindParamsAndRun()
UTIL_Format(query,
sizeof(query),
"INSERT OR IGNORE INTO sm_cookies (name, description, access) \
VALUES (\"%s\", \"%s\", %d)",
VALUES ('%s', '%s', %d)",
safe_name,
safe_desc,
m_params.cookie->access);
@ -204,7 +204,7 @@ bool TQueryOp::BindParamsAndRun()
FROM sm_cookies \
JOIN sm_cookie_cache \
ON sm_cookies.id = sm_cookie_cache.cookie_id \
WHERE player = \"%s\"",
WHERE player = '%s'",
safe_str);
m_pResult = m_database->DoQuery(query);
@ -247,7 +247,7 @@ bool TQueryOp::BindParamsAndRun()
sizeof(query),
"INSERT OR REPLACE INTO sm_cookie_cache \
(player, cookie_id, value, timestamp) \
VALUES (\"%s\", %d, \"%s\", %d)",
VALUES ('%s', %d, '%s', %d)",
safe_id,
m_params.cookieId,
safe_val,
@ -276,7 +276,7 @@ bool TQueryOp::BindParamsAndRun()
UTIL_Format(query,
sizeof(query),
"SELECT id FROM sm_cookies WHERE name = \"%s\"",
"SELECT id FROM sm_cookies WHERE name = '%s'",
safe_name);
m_pResult = m_database->DoQuery(query);

4
plugins/include/dbi.inc
View File

@ -288,6 +288,10 @@ native bool:SQL_GetError(Handle:hndl, String:error[], maxlength);
* characters are safely escaped according to the database engine and
* the database's character set.
*
* NOTE: SourceMod only guarantees properly escaped strings when the query
* encloses the string in ''. While drivers tend to allow " instead, the string
* may be not be escaped (for example, on SQLite)!
*
* @param hndl A database Handle.
* @param string String to quote.
* @param buffer Buffer to store quoted string in.

8
plugins/testsuite/clientprefstest.sp
View File

@ -9,14 +9,14 @@ new Handle:g_Cookie5;
public OnPluginStart()
{
g_Cookie = RegClientCookie("test-cookie", "A basic testing cookie", CookieAccess_Public);
g_Cookie2 = RegClientCookie("test-cookie2", "A basic testing cookie", CookieAccess_Protected);
g_Cookie = RegClientCookie("test-cookie'", "A basic 'testing cookie", CookieAccess_Public);
g_Cookie2 = RegClientCookie("test-cookie2\"", "\"A basic testing cookie", CookieAccess_Protected);
g_Cookie3 = RegClientCookie("test-cookie3", "A basic testing cookie", CookieAccess_Public);
g_Cookie4 = RegClientCookie("test-cookie4", "A basic testing cookie", CookieAccess_Private);
g_Cookie5 = RegClientCookie("test-cookie5", "A basic testing cookie", CookieAccess_Public);
SetCookiePrefabMenu(g_Cookie, CookieMenu_YesNo, "Cookie 1", CookieSelected, any:g_Cookie);
SetCookiePrefabMenu(g_Cookie, CookieMenu_YesNo, "Cookie '1", CookieSelected, any:g_Cookie);
SetCookiePrefabMenu(g_Cookie2, CookieMenu_YesNo_Int, "Cookie 2");
SetCookiePrefabMenu(g_Cookie3, CookieMenu_OnOff, "Cookie 3");
SetCookiePrefabMenu(g_Cookie4, CookieMenu_OnOff_Int, "Cookie 4");
@ -55,7 +55,7 @@ public OnClientCookiesCached(client)
new String:hi[100];
GetClientCookie(client, g_Cookie, hi, sizeof(hi));
LogMessage("Test: %s",hi);
SetClientCookie(client, g_Cookie, "somethingsomething");
SetClientCookie(client, g_Cookie, "somethingsomething'");
GetClientCookie(client, g_Cookie, hi, sizeof(hi));
LogMessage("Test: %s",hi);
}